CVE-2024-23621
📋 TL;DR
A critical buffer overflow vulnerability in IBM Merge Healthcare eFilm Workstation license server allows remote, unauthenticated attackers to execute arbitrary code on affected systems. This affects healthcare organizations using this medical imaging software for DICOM viewing. The vulnerability is remotely exploitable without authentication.
💻 Affected Systems
- IBM Merge Healthcare eFilm Workstation License Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the license server, potentially pivoting to other hospital systems, stealing patient data, or disrupting medical imaging operations.
Likely Case
Remote code execution leading to ransomware deployment, data exfiltration of medical records, or installation of persistent backdoors for future attacks.
If Mitigated
Limited impact if server is isolated in segmented network with strict firewall rules, though buffer overflow could still cause service disruption.
🎯 Exploit Status
Detailed technical analysis and proof-of-concept available from Exodus Intelligence. Remote exploitation without authentication makes this highly attractive to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with IBM for specific patched version
Vendor Advisory: https://www.ibm.com/support/pages/node/
Restart Required: Yes
Instructions:
1. Contact IBM support for patch availability
2. Apply the official patch from IBM
3. Restart the license server service
4. Verify the patch is applied correctly
🔧 Temporary Workarounds
Network Segmentation
windowsIsolate the license server from untrusted networks using firewall rules
Windows Firewall: New-NetFirewallRule -DisplayName "Block eFilm License Port" -Direction Inbound -Protocol TCP -LocalPort [PORT_NUMBER] -Action Block
Service Disablement
windowsTemporarily disable the license server if not critically needed
sc stop "eFilm License Server"
sc config "eFilm License Server" start= disabled
🧯 If You Can't Patch
- Immediately isolate the server from all networks except absolutely required medical imaging systems
- Implement strict network monitoring and intrusion detection for the server segment
🔍 How to Verify
Check if Vulnerable:
Check if eFilm Workstation license server is running on Windows systems and verify version against IBM's patched releaseCheck Version:
Check application version in Control Panel > Programs and Features or via the software's about dialogVerify Fix Applied:
Confirm patch installation through IBM's verification process and test license server functionality📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from license server executable
- Buffer overflow error messages in application logs
- Failed license validation attempts
Network Indicators:
- Unexpected network connections from license server port
- Malformed packets to license server port
SIEM Query:
source="efilm_license.log" AND ("buffer overflow" OR "access violation" OR "exception")