CISA alerts to vulnerabilities in some OFFIS DCMTK, Hillrom medical devices

In the last week, the Cybersecurity and Infrastructure and Security Agency issued alerts for high-risk vulnerabilities found in certain OFFIS DCMTK and Hillrom Welch Allyn medical devices.

The latest alert warns public health and healthcare sector entities of three vulnerabilities in all versions prior to 3.6.7 of DCMTK, the libraries and software that process DICOM image files. In general, the 30-year-old DICOM standard is notoriously vulnerable and easily exploitable when left exposed to the internet.

The OFFIS DCMTK is a software able to examine, construct, and convert DICOM image files, as well as handle offline media, and send and receive images over a network connection.

The alert shows the DCMTK has two path traversal flaws ranked 7.5 in severity. A successful exploit of either could allow a threat actor to write DICOM files into arbitrary directories under controlled names and could spur remote code execution. 

The third flaw, ranked 6.5 in severity is caused by a NULL pointer deference vulnerability, which occurs when processing DICOM files. An exploit could cause a denial-of-service condition.

All three flaws are exploitable from an adjacent network with low attack complexity. Fortunately, there have been known public exploits specifically targeting these vulnerabilities. The bugs were reported to CISA by Noam Moshe, a vulnerability researcher at Claroty.

Healthcare entities are being urged to update the impacted DCMTK products to the latest version, while CISA recommends users ensure network exposure is minimized and not directly accessible to the internet.

Hillrom Welch Allyn vulnerabilities

Last week, CISA issued an alert for two vulnerabilities found in certain versions of Hillrom’s Welch Allyn resting electrocardiograph devices. Ranked 7.7 in severity, the first vulnerability is caused by the devices’ failure to restrict or incorrectly restricting access to a resource from an unauthorized actor.

The second flaw, ranked 6.4, is caused by the use of hard-coded, unchangeable passwords for its inbound authentication or outbound communication to external components.

A successful exploit of these flaws could enable an actor to compromise software security to execute commands, obtain privileges, read sensitive information, and evade detection, among other nefarious activities.

Hillrom has already released software updates for all of the impacted devices, which address these security flaws. All healthcare entities have been urged to upgrade to the latest product versions, available on the vendor’s website.

It’s recommended that entities employ workarounds to help reduce the risk posed by vulnerable devices, including applying effective network and physical security controls, verifying the ELI Link and Cardiograph employ unique encryption keys, and using a firewall to block communication on Port 21 FTP service, Port 22 SSH, and Port 23 Telnet service.