Alert essentials:
Orthanc versions before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system. In specific deployment scenarios, the vulnerability also allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).
We recommend changing default or weak credentials, and upgrading Orthanc software version to 1.12.0 to protect against this vulnerability.
Detailed threat description:
Orthanc, an open-source software for managing medical imaging data, has a high severity vulnerability (CVE-2023-33466) in versions prior to 1.12.0.
The vulnerability allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios, allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE). This flaw involves a REST API endpoint that permits arbitrary file overwrites.
The exploit can be achieved with the use of Polyglot Files. A polyglot file is a file that conforms to multiple file formats simultaneously. For instance, a file might be a legitimate PDF document while also being a zip archive that houses malicious code.
In this case, the polyglot file is a DICOM file that is also a valid Orthanc JSON configuration.
It is critical for administrators to change the default credentials and upgrade Orthanc to secure their systems. This vulnerability can also significantly impact the healthcare sector, with around 1700 exposed instances identified on Shodan at the time this exploit was published.
This vulnerability permits unauthorized users to access and gain complete control via remote code execution. If exploited, it could lead to data breaches, potential ransomware attacks, impacting patient information, care quality, and possibly causing prolonged IT system outages.
Impacts on healthcare organizations
The risk of remote code execution and data breach are high on the list of concerns for healthcare. This vulnerability has the potential to lead to both.
Affected Products / Versions
- All versions of Orthanc prior to 1.12.0
CVE
- CVE-2023-33466
Recommendations
Engineering recommendations:
- Assuming external access is granted by setting the “RemoteAccessAllow” to “true” consider the following steps:
- Set AuthenticationEnabled to true to force the users to authenticate. The authorized users are listed in the option RegisteredUsers.
- Enable HTTPS encryption to prevent the stealing of medical data or passwords, even on the Intranet
- If Orthanc is put on a server that can be contacted from Internet, put Orthanc behind a reverse proxy, and let this reverse proxy take care of the HTTPS encryption
- Ensure that the REST API can not write to the filesystem (e.g. in the /instances/../export route) by leaving the configuration RestApiWriteToFileSystemEnabled to its default false value
- Read on these steps and more in Securing Orthanc 19
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
