CVE-2024-42845
📋 TL;DR
This CVE describes an eval injection vulnerability in InVesalius's DICOM file reader that allows attackers to execute arbitrary code by loading a malicious DICOM file. Users of InVesalius 3.1.99991 through 3.1.99998 who process untrusted DICOM files are affected. The vulnerability stems from improper input validation in the dicom.py component.
💻 Affected Systems
- InVesalius
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Local privilege escalation or arbitrary code execution when processing malicious DICOM files from untrusted sources.
If Mitigated
Limited impact if only trusted DICOM files are processed and proper file validation is implemented.
🎯 Exploit Status
Exploitation requires user interaction to load a malicious DICOM file. Proof-of-concept code is available in the referenced GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.99999 or later
Vendor Advisory: https://github.com/invesalius/invesalius3/releases
Restart Required: No
Instructions:
1. Download the latest version from GitHub releases. 2. Install the updated version. 3. Verify the installation by checking the version number.
🔧 Temporary Workarounds
Restrict DICOM file sources
allOnly process DICOM files from trusted sources and avoid loading files from unknown origins.
Use file integrity monitoring
allMonitor for unexpected modifications to InVesalius files or suspicious process creation.
🧯 If You Can't Patch
- Discontinue use of InVesalius for processing DICOM files from untrusted sources
- Implement application whitelisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check InVesalius version number in the application or via the About dialog. Versions 3.1.99991 through 3.1.99998 are vulnerable.Check Version:
Check the About section in InVesalius GUI or examine the application metadataVerify Fix Applied:
Verify the version is 3.1.99999 or later after updating.📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation from InVesalius
- Failed DICOM file loading attempts
- Error messages related to eval execution
Network Indicators:
- Unusual outbound connections from InVesalius process
SIEM Query:
Process creation where parent process contains 'invesalius' AND command line contains suspicious patterns like 'eval', 'exec', or 'system'