CVE-2024-21825: How Attackers Exploit Orthanc DICOM Servers — Patch Now

Orthanc is a lightweight, open-source DICOM server commonly deployed in healthcare environments for medical imaging management. Recent findings from the Synopsys Cybersecurity Research Center (CyRC) have highlighted three distinct vulnerabilities that could permit an attacker to compromise these systems. According to SecurityWeek, these flaws range from denial-of-service to potential remote code execution, posing a significant risk to patient data availability and system integrity.

Technical Analysis of DICOM Parsing Flaws

The vulnerabilities stem from how the Orthanc server processes DICOM (Digital Imaging and Communications in Medicine) packets. The most critical CVE identified is CVE-2024-21825, which carries a CVSS score of 9.8. This flaw is a stack-based buffer overflow that occurs when the server parses specific DICOM elements. An unauthenticated attacker could send a specially crafted DICOM request to the server, triggering the overflow. If successfully exploited, this could lead to full RCE, allowing the attacker to execute arbitrary commands with the privileges of the Orthanc process.

In addition to the stack overflow, CVE-2024-21826 involves an out-of-bounds read vulnerability. While this flaw is primarily associated with information disclosure, it can also lead to application crashes. Attackers might use this to leak sensitive memory contents or mapping information, which often serves as a precursor to more complex exploitation chains. Finally, CVE-2024-21827 is a null pointer dereference issue. This vulnerability allows an attacker to remotely crash the Orthanc service by sending malformed packets, resulting in a denial-of-service condition that can disrupt clinical workflows and medical imaging access.

Orthanc DICOM Server 1.12.1 Patch Guidance

The primary remediation for these vulnerabilities is the immediate upgrade of all affected instances. Organizations running versions 1.12.1 and earlier are vulnerable and must migrate to version 1.12.2. This update contains the necessary bounds checking and input validation improvements to mitigate the risks.

To effectively remediate Orthanc RCE vulnerabilities, administrators should prioritize the update of internet-facing servers. While DICOM servers should ideally reside within internal, segmented networks, many are unintentionally exposed or accessible via VPNs. Reviewing firewall rules and ensuring that the DICOM port (typically 4242 or 104) is only accessible to authorized clinical systems is a fundamental step in reducing the attack surface. This is particularly important for healthcare entities where availability is as critical as confidentiality.

Detection and Strategic Mitigation

Defenders must evaluate their current monitoring capabilities to identify potential exploitation attempts. Understanding how to detect CVE-2024-21825 exploit signatures involves looking for unusually large DICOM attribute values or malformed PDU (Protocol Data Unit) structures within network traffic. Intrusion Detection Systems should be updated with rules targeting these specific protocol anomalies.

From a MITRE ATT&CK perspective, these vulnerabilities allow for initial access or persistence if the service is compromised. Beyond patching, implementing network-level access control lists and utilizing service-specific logging is advised. Because Orthanc is often integrated into larger PACS environments, a compromise here could facilitate lateral movement within a hospital’s network. Consequently, adopting a defense-in-depth posture is required to protect the broader healthcare infrastructure and prevent unauthorized access to sensitive patient health information.