A recent alert highlights significant vulnerabilities in MicroDicom DICOM Viewer. Released on February 29, 2024, the alert, coded as ICSMA-24-060-01, reveals two critical issues: a heap-based buffer overflow (CVE-2024-22100) and an out-of-bounds write (CVE-2024-25578). Both vulnerabilities, with a CVSS v3 score of 7.8, pose a severe risk of arbitrary code execution, emphasizing the urgent need for mitigation.
Affected are versions 2023.3 (Build 9342) and earlier, requiring users to promptly upgrade to the fixed version 2024.1, as recommended by MicroDicom. The vulnerabilities can be exploited by opening a malicious DCM file, and the potential memory corruption issues demand immediate defensive actions. CISA provides additional defensive measures, including minimizing network exposure and employing secure remote access methods like VPNs.
As a Bulgarian-based company deployed worldwide in the Healthcare and Public Health sectors, MicroDicom’s prompt response to the reported vulnerabilities is crucial. The researcher, Michael Heinzl, disclosed these issues to CISA, urging organizations to implement recommended cybersecurity strategies and perform thorough risk assessments.
Reference:
