cbcvebase.
CVE-2015-8396
published 2016-01-12

CVE-2015-8396: Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader.cxx in Grassroots DICOM (aka GDCM) before…

PriorityP264critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
16.80%
96.7th percentile
Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader.cxx in Grassroots DICOM (aka GDCM) before 2.6.2 allows attackers to execute arbitrary code via crafted header dimensions in a DICOM image file, which triggers a buffer overflow.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiangdcm< gdcm 2.6.2-1 (bookworm)gdcm 2.6.2-1 (bookworm)
malaterregrassroots_dicom<= 2.6.0
malaterregrassroots_dicom

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://census-labs.com/media/CVE-2015-8396.dcm.bz2
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39229.zip
filenameCVE-2015-8396.dcm
pathMediaStorageAndFileFormat/gdcmImageRegionReader.cxx
  • The vulnerability is triggered via the gdcm::ImageRegionReader::ReadIntoBuffer function when processing a crafted DICOM file with malicious header dimensions causing an integer overflow. Monitor for calls to this function with crafted/unexpected dimension values.
  • The buffer overflow occurs regardless of the size of the buffer supplied to ReadIntoBuffer — any DICOM file with crafted header dimensions passed to this function should be treated as suspicious.
  • Affected versions are GDCM 2.6.0 and 2.6.1 (and possibly earlier including 2.4.x). Detect use of these library versions in environments processing untrusted DICOM files.
  • The exploit PoC uses a crafted .dcm file with abnormally large header dimension values (dims[0], dims[1], dims[2]). Inspect DICOM files for header dimensions that would cause integer overflow when multiplied together.
  • ·The vulnerability scope is listed as 'local' by Debian Security Tracker, meaning exploitation requires local access or the ability to supply a crafted DICOM file to an application using the vulnerable GDCM library.
  • ·GDCM 2.4.x may also be affected despite not being in the 2.6 series; the vulnerable source code pattern appears present in 2.4.5 as well.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.