Siemens Healthineers Security Advisory

DICOM/BMP File Parsing Vulnerabilities in syngo fastView


Publication Date: 2021-12-14

Last Update: 2022-02-08

Current Version: V1.1

CVSS v3.1 Base Score: 7.8

SUMMARY

syngo fastView contains vulnerabilities that could be triggered while parsing DICOM or BMP file. If a user is tricked to open a malicious file in syngo fastView, this could lead to a crash of the application or potential arbitrary code execution.

Siemens Healthineers recommends specific countermeasures for products where updates are not, or not yet available.

Affected Product and Versions

Remediation

syngo fastView:
All versions 

Currently no remediation is planned

See recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS 

Siemens Healthineers has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

  • Download syngo fastView only from Siemens Healthineers official page
  • Avoid to open untrusted files from unknown sources in syngo fastView
  • Remove syngo fastView after viewing the required files

GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers recommends the following:

  • Ensure you have appropriate backups and system restoration procedures.
  • Securely delete any backup files that are no longer needed.
  • For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION
syngo fastView is a standalone viewer for DICOM (Digital Imaging and Communications in Medicine) images provided on DICOM exchange media. syngo fastView can be used on any Windows PC but it is not a medical device and therefore not permitted for diagnostic use. Consequently, syngo fastView cannot be run on Medical Workstations from Siemens Healthineers.

VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1)
(https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.


Vulnerability CVE-2021-40367

The affected application lacks proper validation of user-supplied data when parsing DICOM files. This could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-15097)

CVSS v3.1 Base Score 7.8

CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C

CWE CWE-787: Out-of-bounds Write


Vulnerability CVE-2021-42028

The affected application lacks proper validation of user-supplied data when parsing BMP files. This could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-14860)

CVSS v3.1 Base Score 7.8

CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C

CWE CWE-787: Out-of-bounds Write


Vulnerability CVE-2021-45465

The affected application lacks proper validation of user-supplied data when parsing BMP files. This could result in a write-what-where condition and an attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-15696)

CVSS v3.1 Base Score 7.8

CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C

CWE CWE-123: Write-what-where Condition


ACKNOWLEDGMENTS 
Siemens Healthineers thanks the following parties for their efforts:

  • Trend Micro Zero Day Initiative for coordinated disclosure

ADDITIONAL INFORMATION 

For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link:  https://www.siemens-healthineers.com/cybersecurity


HISTORY DATA 

V1.0 (2021-12-14): Publication Date

V1.1 (2022-02-08): Added CVE-2021-45465


TERMS OF USE
Siemens Healthineers Security Advisories are subject to the terms and conditions contained in Siemens’ Healthineers underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or docu- mentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.