CVE-2019-1010228 : Security Advisory and Response

OFFIS.de DCMTK version 3.6.3 and below are vulnerable to a Buffer Overflow issue that can lead to code execution and Denial of Service. The vulnerability is located in DcmRLEDecoder::decompress() and affects DICOM file processing.

Understanding CVE-2019-1010228

This CVE involves a critical Buffer Overflow vulnerability in OFFIS.de DCMTK versions 3.6.3 and below, potentially allowing attackers to execute arbitrary code and cause Denial of Service.

What is CVE-2019-1010228?

The vulnerability in DCMTK versions 3.6.3 and below allows for a Buffer Overflow, impacting the DcmRLEDecoder::decompress() component, specifically in the file dcrledec.h at line 122. Attackers can exploit this issue through various DICOM file processing scenarios.

The Impact of CVE-2019-1010228

The vulnerability poses a severe risk of code execution and confirmed Denial of Service due to the Buffer Overflow in the affected DCMTK versions.

Technical Details of CVE-2019-1010228

OFFIS.de DCMTK version 3.6.3 and below are susceptible to a Buffer Overflow vulnerability, as detailed below:

Vulnerability Description

The vulnerability allows for a Buffer Overflow in DcmRLEDecoder::decompress()
Located in the file dcrledec.h at line 122

Affected Systems and Versions

Product: DCMTK
Vendor: OFFIS.de
Vulnerable Versions: 3.6.3 and below
Fixed Version: 3.6.4 (after commit 40917614e)

Exploitation Mechanism

Attack vector through various DICOM file processing scenarios
Specifically affects DICOM to image conversion

Mitigation and Prevention

It is crucial to take immediate steps to address and prevent exploitation of CVE-2019-1010228:

Immediate Steps to Take

Update DCMTK to version 3.6.4 or later
Monitor and restrict DICOM file processing activities

Long-Term Security Practices

Regularly update software and apply security patches
Conduct security assessments and penetration testing

Patching and Updates

Ensure timely installation of vendor-provided patches and updates to mitigate vulnerabilities