📄 Description (English)
A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue.
🤖 AI Executive Summary
A heap-based buffer overflow vulnerability exists in OFFIS DCMTK 3.7.0's DICOM query/retrieve service (dcmqrscp), specifically in the deleteOldestImages function. This remotely exploitable flaw could allow attackers to crash the service or potentially execute arbitrary code on healthcare imaging systems. With no patch currently available and no public exploits, immediate mitigation through network segmentation and monitoring is critical for Saudi healthcare organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 31, 2026 21:01
🇸🇦 Saudi Arabia Impact Assessment
Healthcare sector (Ministry of Health, private hospitals, diagnostic centers) is most critically affected as DCMTK is widely used in PACS (Picture Archiving and Communication Systems) and medical imaging infrastructure. Secondary impact on government health agencies and research institutions. Potential disruption to patient care workflows and imaging data integrity. Banking and insurance sectors using DICOM for medical records processing may also be affected.
🏢 Affected Saudi Sectors
Healthcare (Ministry of Health, hospitals, diagnostic centers, PACS systems)
Government (health agencies, medical research institutions)
Insurance (medical claims processing)
Pharmaceutical (clinical trial management systems)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running OFFIS DCMTK 3.7.0 using network scanning and asset inventory tools
2. Isolate affected dcmqrscp services from untrusted networks using firewall rules
3. Restrict network access to DICOM query/retrieve ports (typically 4242) to authorized medical workstations only
4. Enable comprehensive logging and monitoring of dcmqrscp process behavior
COMPENSATING CONTROLS (until patch available):
5. Implement network segmentation: place DICOM servers on isolated VLAN with strict ingress/egress rules
6. Deploy IDS/IPS rules to detect malformed DICOM query requests targeting deleteOldestImages function
7. Monitor heap memory allocation patterns and process crashes in dcmqrscp
8. Implement rate limiting on DICOM query requests
9. Run dcmqrscp with minimal privileges (dedicated service account)
10. Consider temporary disabling of automatic image deletion features if operationally feasible
DETECTION RULES:
- Alert on dcmqrscp process crashes or abnormal termination
- Monitor for unusual DICOM C-FIND/C-MOVE requests with oversized parameters
- Track memory access violations in dcmqrdbi.cc execution context
- Log all remote connections to DICOM query/retrieve ports
PATCHING:
11. Monitor OFFIS DCMTK repository for patch release (reference commit: 0f78a4ef6f645ea5530166e445e5436a5de58e75)
12. Prepare upgrade plan to patched version once available
13. Test patches in isolated environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بـ OFFIS DCMTK 3.7.0 باستخدام أدوات المسح والجرد
2. عزل خدمات dcmqrscp المتأثرة عن الشبكات غير الموثوقة باستخدام قواعد جدار الحماية
3. تقييد الوصول الشبكي إلى منافذ DICOM (عادة 4242) للمحطات الطبية المصرح بها فقط
4. تفعيل التسجيل والمراقبة الشاملة لسلوك عملية dcmqrscp
الضوابط البديلة (حتى توفر التصحيح):
5. تطبيق تقسيم الشبكة: وضع خوادم DICOM على VLAN معزول مع قواعد صارمة
6. نشر قواعد IDS/IPS للكشف عن طلبات DICOM المشوهة
7. مراقبة أنماط تخصيص الذاكرة وتعطل العمليات
8. تطبيق تحديد معدل على طلبات DICOM
9. تشغيل dcmqrscp بامتيازات محدودة
10. النظر في تعطيل ميزات حذف الصور التلقائية مؤقتاً
قواعد الكشف:
- تنبيهات عند تعطل عملية dcmqrscp
- مراقبة طلبات DICOM غير العادية ذات المعاملات الكبيرة
- تتبع انتهاكات الوصول للذاكرة
- تسجيل جميع الاتصالات البعيدة لمنافذ DICOM
التصحيح:
11. مراقبة مستودع OFFIS DCMTK لإصدار التصحيح
12. إعداد خطة ترقية عند توفر النسخة المصححة
13. اختبار التصحيحات في بيئة معزولة قبل النشر
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.3.1 - Configuration management
ECC 2024 A.12.2.1 - Change management
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - System and information integrity
DE.CM-8 - Vulnerability scans
RS.MI-2 - Incident response and mitigation
🟡 ISO 27001:2022
A.12.2.1 - Change management procedures
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.3.1 - Configuration management
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 5