CVE-2015-8979 in DCMTK
Summary
by MITRE
Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a long string sent to TCP port 4242.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/04/2024
The vulnerability identified as CVE-2015-8979 represents a critical stack-based buffer overflow flaw within the DICOM dcmtk library version 3.6.0 and earlier. This issue specifically affects the parsePresentationContext function within the storescp component, which serves as a DICOM storage service daemon. The vulnerability manifests when the daemon receives malformed input data through TCP port 4242, which is the standard port used for DICOM storage services. The flaw stems from inadequate input validation and bounds checking within the function responsible for parsing presentation contexts in DICOM protocol communications. The buffer overflow occurs when the application processes a specially crafted long string that exceeds the allocated stack buffer space, leading to memory corruption that can result in application termination.
The technical exploitation of this vulnerability requires remote attackers to send a malformed string to the target system's TCP port 4242, which triggers the buffer overflow condition during the parsing of presentation context information. This type of vulnerability falls under CWE-121 Stack-based Buffer Overflow, which is classified as a fundamental memory safety issue that allows attackers to overwrite adjacent memory locations. The operational impact is significant as it can be leveraged for denial of service attacks that completely disrupt DICOM storage services, potentially affecting medical imaging workflows in healthcare environments. The segmentation fault that occurs as a result of this overflow typically causes the storescp process to crash, requiring system administrators to restart the service and potentially resulting in loss of medical imaging data transmission capabilities.
From an attack perspective, this vulnerability aligns with ATT&CK technique T1499.004 which involves network disruption through service availability attacks. The attack vector is remote and requires no authentication, making it particularly dangerous in healthcare environments where DICOM services are critical for medical imaging workflows. The vulnerability affects healthcare information systems that rely on DICOM protocol for medical image storage and retrieval, potentially compromising patient care delivery. Organizations using affected versions of dcmtk should prioritize immediate remediation through patching, as the vulnerability can be exploited without user interaction or authentication. The impact extends beyond simple service disruption to potentially affect patient safety if medical imaging systems become unavailable during critical procedures, making this a high-priority security concern for healthcare organizations and medical device manufacturers that depend on DICOM-compliant systems for their operations.