In the world of medical imaging, the precision and safety of data can quite literally mean the difference between life and death. At the forefront of this field is the Merge DICOM Toolkit, a software library developed from Merge by Merative.
What makes the Merge DICOM Toolkit so critical? Every time a patient undergoes an MRI, CT scan, or any form of medical imaging, the Digital Imaging and Communications in Medicine (DICOM) standard is what ensures these images are stored, shared, and available in a universally compatible format across various healthcare systems. Even though the Merge DICOM Toolkit is not the only library which allows to handle DICOM standard, it has a large market share and it’s integrated in several healthcare devices.
Key features of the Merge DICOM Toolkit are the ability to seamlessly read and write DICOM files, ensuring smooth integration with existing medical archives. The toolkit’s data manipulation capabilities allow for DICOM attributes such as patient information, image parameters, or acquisition data to be extracted, modified and updated, ensuring that critical information is accurate and up to date. The DICOM networking capability facilitates communication across DICOM-compliant systems, enabling the exchange of medical images between remote machines.
During our security research on the Merge DICOM Toolkit, the Nozomi Networks Labs team identified three security flaws which could be exploited through seemingly benign operations like reading a DICOM file or processing a DICOM network packet, causing a DDoS crash on the DICOM service. In the following sections, we'll not only delve into the technicalities of these vulnerabilities but also take a look at the real-world scenarios that could happen if a threat actor exploited them.
In response to our findings, Merge by Merative developed the new Merge DICOM Toolkit C/C++ SDK v5.18 software release which patches all the vulnerabilities we discovered. Due to the impacts that these issues could have on a medical infrastructure, we strongly suggest checking if any of your healthcare software uses a vulnerable version of this library and in case update to the latest v5.18 release.
Overview of the Merge DICOM Toolkit
The Merge DICOM Toolkit is a software library developed by Merge to facilitate the handling, manipulation, and processing of medical images in the DICOM format—essentially the JPEGs of the medical world, but with a lot more complexity and nuance. These files contain both the images themselves and critical patient data, which are essential in the diagnosis and treatment process. The Merge DICOM Toolkit library provides developers with a comprehensive set of tools and functions to integrate DICOM network or media functionality into their applications.
Key features of this toolkit include:
- DICOM I/O: With its ability to read and write DICOM files, the toolkit ensures that healthcare professionals can access and integrate medical images into existing archives and systems.
- Data Manipulation: The toolkit goes beyond mere DICOM processing and communication capabilities, allowing for the extraction, modification, and update of DICOM attributes. This means everything from patient information to image parameters and acquisition data can be managed effectively, ensuring accuracy and relevance.
- DICOM Networking: In today's interconnected world, the ability of the toolkit to communicate with other DICOM-compliant systems is invaluable. This networking capability facilitates the exchange of medical images across various platforms and networks.
- Compliance and Validation: At its core, the Merge DICOM Toolkit is designed to uphold the highest standards of compliance with DICOM standards. It supports validation and conformance testing of DICOM data, ensuring that the systems it powers are both robust and reliable.
Discovered Vulnerabilities
During our security research on the Merge DICOM Toolkit C/C++ SDK v5.16 for Windows OS, we discovered that the SDK library is affected by three vulnerabilities, as listed below:
- CVE-2024-23912:
- CWE: Out-of-bounds Read (CWE-125)
- CVSS v3.1: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (4.0 - Medium)
- High-level description: When MC_Open_File function is used to read a malformed DICOM data, it might result in over-reading memory buffer and could cause memory access violation.
- CVE-2024-23913:
- CWE: Use of Out-of-range Pointer Offset (CWE-823)
- CVSS v3.1: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (4.0 - Medium)
- High-level description: When MC_XML_To_Message function is used to read a malformed DICOM XML file, it might result in memory access violation.
- CVE-2024-23914:
- CWE: Use of Externally-Controlled Format String (CWE-134)
- CVSS v3.1: AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (5.7 - Medium)
- High-level description: When MC_Open_Association function is used to open DICOM Association and gets DICOM Application Context Name with illegal characters, it might result in an unhandled exception. The vulnerability can be exploited by unauthenticated attackers with a privileged position in the network.
Impacts and Attack Scenarios
In a hospital, where every second counts, technology bridges the gap between life-saving decisions and their execution. Here, medical images (X-rays, MRIs, etc.) are vital for healthcare professionals to make diagnoses and deliver medical treatments. In this context, DICOM is a standard that defines both the structure of a DICOM file as well as the TCP/IP network communication protocol to exchange medical images between different systems.
Let’s explore both of the DICOM use case scenarios and how the vulnerabilities we found could be used by a threat actor to lower the security posture of a target hospital infrastructure that uses a vulnerable Merge DICOM Toolkit C/C++ SDK:
- Attack vector: Reading a malicious DICOM image file
- Scenario: When a medical operator reviews a patient’s MRI scan, the DICOM file not only provides the high-quality image needed for an accurate diagnosis but also includes relevant patient data and imaging parameters, all accessible within the same file.
- Threat: If the medical operator opens a malicious DICOM image with a DICOM viewer application (i.e., software used to actually read and display a DICOM file as image) that internally uses a vulnerable version of the Merge DICOM Toolkit C/C++, then an attacker would be able to exploit CVE-2024-23912 or CVE-2024-23913 bugs to trigger a crash on the DICOM viewer software.
- Attack vector: Sending a malicious DICOM network packet
- Scenario: Instead of storing patient data and images coming from a medical examination into a file, some DICOM-enabled devices (e.g., ultrasound, MRI or CT machines) are capable of sending them through the network to a remote DICOM server (also called SCP – Service Class Provider). To achieve this goal, the device (also called SCU – Service Class User) starts a new connection with the remote SCP and sends DICOM data to it.
- Threat: If a malicious actor is capable of spoofing the DICOM A-ASSOCIATE response given back by the SCP during the initial handshake with the SCU, if the machine uses a vulnerable version of the Merge DICOM Toolkit C/C++, then the attack can exploit the CVE-2024-23914 issue to trigger a crash on the SCU machine (e.g., ultrasound, MRI or CT machines).
Takeaways and Remediations
The cybersecurity landscape is moving fast, with threat actors constantly seeking new vulnerabilities to exploit. During our research on the Merge DICOM Toolkit we demonstrated how a vulnerability in one of the most popular healthcare libraries used by medical imaging software might affect the security posture of a healthcare system. The discovery of these vulnerabilities serves as a reminder that even in the healthcare industry, the software supply chain security is a key element that shall be properly protected to ensure the safety of critical infrastructure.
Our collaborative journey with Merge underscores the importance of partnership in the cybersecurity industry: for this reason, we would like to thank Merge for their proactive response and collaboration during our coordinated responsible disclosure process.
In response to our findings, Merge by Merative developed the new Merge DICOM Toolkit C/C++ SDK v5.18 software release which patches all the vulnerabilities we discovered. Since the affected product is a popular library in the healthcare industry, it might be embedded by several Windows applications. For this reason, we strongly suggest checking if any of your healthcare software uses a vulnerable version of this library and in case update to the latest v5.18 release.