DICOM/BMP File Parsing Vulnerabilities in syngo fastView
Publication Date: 2021-12-14
Last Update: 2022-02-08
Current Version: V1.1
CVSS v3.1 Base Score: 7.8
SUMMARY
syngo fastView contains vulnerabilities that could be triggered while parsing DICOM or BMP file. If a user is tricked to open a malicious file in syngo fastView, this could lead to a crash of the application or potential arbitrary code execution.
Siemens Healthineers recommends specific countermeasures for products where updates are not, or not yet available.
WORKAROUNDS AND MITIGATIONS
Siemens Healthineers has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
- Download syngo fastView only from Siemens Healthineers official page
- Avoid to open untrusted files from unknown sources in syngo fastView
- Remove syngo fastView after viewing the required files
GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers recommends the following:
- Ensure you have appropriate backups and system restoration procedures.
- Securely delete any backup files that are no longer needed.
- For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you
PRODUCT DESCRIPTION
syngo fastView is a standalone viewer for DICOM (Digital Imaging and Communications in Medicine)
images provided on DICOM exchange media. syngo fastView can be used on any Windows PC but it
is not a medical device and therefore not permitted for diagnostic use. Consequently, syngo fastView
cannot be run on Medical Workstations from Siemens Healthineers.
VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1
(CVSS v3.1)
(https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.
An additional classification has been performed using the CWE classification, a community-developed list
of common software security weaknesses. This serves as a common language and as a baseline for
weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.
Vulnerability CVE-2021-40367
The affected application lacks proper validation of user-supplied data when parsing DICOM files. This could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-15097)
CVSS v3.1 Base Score 7.8
CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
CWE CWE-787: Out-of-bounds Write
Vulnerability CVE-2021-42028
The affected application lacks proper validation of user-supplied data when parsing BMP files. This could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-14860)
CVSS v3.1 Base Score 7.8
CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
CWE CWE-787: Out-of-bounds Write
Vulnerability CVE-2021-45465
The affected application lacks proper validation of user-supplied data when parsing BMP files. This could result in a write-what-where condition and an attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-15696)
CVSS v3.1 Base Score 7.8
CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
CWE CWE-123: Write-what-where Condition
ACKNOWLEDGMENTS
Siemens Healthineers thanks the following parties for their efforts:
- Trend Micro Zero Day Initiative for coordinated disclosure
For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity
HISTORY DATA
V1.0 (2021-12-14): Publication Date
V1.1 (2022-02-08): Added CVE-2021-45465
TERMS OF USE
Siemens Healthineers Security Advisories are subject to the terms and conditions contained in Siemens’
Healthineers underlying license terms or other applicable agreements previously agreed to with Siemens
Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or docu-
mentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of
Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use, hereinafter
"Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of
conflicts, the License Terms shall prevail over the Terms of Use.