CVE-2024-29734
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code by exploiting an uncontrolled DLL search path in SonicDICOM Media Viewer. Attackers can place malicious DLLs in locations the application searches, leading to code execution with the application's privileges. Users of SonicDICOM Media Viewer version 2.3.2 and earlier are affected.
💻 Affected Systems
- SonicDICOM Media Viewer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with the privileges of the user running SonicDICOM Media Viewer, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or arbitrary code execution on the affected system, allowing attackers to steal sensitive medical data or install malware.
If Mitigated
Limited impact if application runs with minimal privileges and in isolated environments, though DLL hijacking could still occur.
🎯 Exploit Status
Exploitation requires local access to place malicious DLLs in search paths, but the technique is well-documented and relatively simple.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.3 or later
Vendor Advisory: https://jvn.jp/en/jp/JVN40367518/
Restart Required: Yes
Instructions:
1. Download the latest version from the official vendor website. 2. Uninstall the vulnerable version. 3. Install the patched version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict DLL search path
windowsUse Windows policies or application settings to restrict DLL search paths to trusted directories only.
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'SafeDllSearchMode' -Value 1
Run with minimal privileges
windowsConfigure the application to run with limited user privileges to reduce impact if exploited.
🧯 If You Can't Patch
- Remove or restrict write permissions to directories in the DLL search path (e.g., current working directory, system directories).
- Isolate the application in a sandboxed or virtualized environment to contain potential exploitation.
🔍 How to Verify
Check if Vulnerable:
Check the application version in Help > About or via the executable properties. If version is 2.3.2 or earlier, it is vulnerable.Check Version:
wmic product where name='SonicDICOM Media Viewer' get versionVerify Fix Applied:
Verify the installed version is 2.3.3 or later and test that DLLs are only loaded from secure locations.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads from non-standard paths in Windows Event Logs (Event ID 7 in Sysmon).
- Application crashes or unusual behavior logs.
Network Indicators:
- Unusual outbound connections from the SonicDICOM process post-exploitation.
SIEM Query:
source="windows" EventID=7 Image="*SonicDICOM*" AND (ImageLoaded="*\Temp\*" OR ImageLoaded="*\Downloads\*")