CVE-2015-8396
published 2016-01-12CVE-2015-8396: Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader.cxx in Grassroots DICOM (aka GDCM) before…
PriorityP264critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
16.80%
96.7th percentile
Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader.cxx in Grassroots DICOM (aka GDCM) before 2.6.2 allows attackers to execute arbitrary code via crafted header dimensions in a DICOM image file, which triggers a buffer overflow.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gdcm | < gdcm 2.6.2-1 (bookworm) | gdcm 2.6.2-1 (bookworm) |
| malaterre | grassroots_dicom | <= 2.6.0 | — |
| malaterre | grassroots_dicom | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via the gdcm::ImageRegionReader::ReadIntoBuffer function when processing a crafted DICOM file with malicious header dimensions causing an integer overflow. Monitor for calls to this function with crafted/unexpected dimension values. ↗
- →The buffer overflow occurs regardless of the size of the buffer supplied to ReadIntoBuffer — any DICOM file with crafted header dimensions passed to this function should be treated as suspicious. ↗
- →Affected versions are GDCM 2.6.0 and 2.6.1 (and possibly earlier including 2.4.x). Detect use of these library versions in environments processing untrusted DICOM files. ↗
- →The exploit PoC uses a crafted .dcm file with abnormally large header dimension values (dims[0], dims[1], dims[2]). Inspect DICOM files for header dimensions that would cause integer overflow when multiplied together. ↗
- ·The vulnerability scope is listed as 'local' by Debian Security Tracker, meaning exploitation requires local access or the ability to supply a crafted DICOM file to an application using the vulnerable GDCM library. ↗
- ·GDCM 2.4.x may also be affected despite not being in the 2.6 series; the vulnerable source code pattern appears present in 2.4.5 as well. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xc32-5f4v-7g6x: Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader
ghsa_unreviewed·2022-05-14
CVE-2015-8396 [CRITICAL] GHSA-xc32-5f4v-7g6x: Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader
Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader.cxx in Grassroots DICOM (aka GDCM) before 2.6.2 allows attackers to execute arbitrary code via crafted header dimensions in a DICOM image file, which triggers a buffer overflow.
OSV
CVE-2015-8396: Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader
osv·2016-01-12·CVSS 10.0
CVE-2015-8396 [CRITICAL] CVE-2015-8396: Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader
Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader.cxx in Grassroots DICOM (aka GDCM) before 2.6.2 allows attackers to execute arbitrary code via crafted header dimensions in a DICOM image file, which triggers a buffer overflow.
Debian
CVE-2015-8396: gdcm - Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStora...
vendor_debian·2015·CVSS 10.0
CVE-2015-8396 [CRITICAL] CVE-2015-8396: gdcm - Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStora...
Integer overflow in the ImageRegionReader::ReadIntoBuffer function in MediaStorageAndFileFormat/gdcmImageRegionReader.cxx in Grassroots DICOM (aka GDCM) before 2.6.2 allows attackers to execute arbitrary code via crafted header dimensions in a DICOM image file, which triggers a buffer overflow.
Scope: local
bookworm: resolved (fixed in 2.6.2-1)
bullseye: resolved (fixed in 2.6.2-1)
forky: resolved (fixed in 2.6.2-1)
sid: resolved (fixed in 2.6.2-1)
trixie: resolved (fixed in 2.6.2-1)
No detection rules found.
Bugzilla
CVE-2015-8396 gdcm: Buffer overflow in ImageRegionReader::ReadIntoBuffer [fedora-all]
bugzilla·2016-01-11·CVSS 10.0
CVE-2015-8396 [CRITICAL] CVE-2015-8396 gdcm: Buffer overflow in ImageRegionReader::ReadIntoBuffer [fedora-all]
CVE-2015-8396 gdcm: Buffer overflow in ImageRegionReader::ReadIntoBuffer [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported vers
Bugzilla
CVE-2015-8396 gdcm: Buffer overflow in ImageRegionReader::ReadIntoBuffer
bugzilla·2016-01-11·CVSS 10.0
CVE-2015-8396 [CRITICAL] CVE-2015-8396 gdcm: Buffer overflow in ImageRegionReader::ReadIntoBuffer
CVE-2015-8396 gdcm: Buffer overflow in ImageRegionReader::ReadIntoBuffer
It was found that GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution. The vulnerability is triggered by the exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies DICOM image data to a buffer. ReadIntoBuffer checks whether the supplied buffer is large enough to hold the necessary data, however in this check it fails to detect the occurrence of an integer overflow, which leads to a buffer overflow later on in the code. The buffer overflow will occur regardless of the size of the buffer supplied to the ReadIntoBuffer call.
External reference:
http://census-labs.com/news/
http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/http://packetstormsecurity.com/files/135205/GDCM-2.6.0-2.6.1-Integer-Overflow.htmlhttp://seclists.org/fulldisclosure/2016/Jan/29http://sourceforge.net/p/gdcm/gdcm/ci/e547b1ded3fd21e0b0ad149f13045aa12d4b9b7c/http://sourceforge.net/p/gdcm/mailman/message/34670701/http://sourceforge.net/p/gdcm/mailman/message/34687533/http://www.securityfocus.com/archive/1/537264/100/0/threadedhttps://www.exploit-db.com/exploits/39229/http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/http://packetstormsecurity.com/files/135205/GDCM-2.6.0-2.6.1-Integer-Overflow.htmlhttp://seclists.org/fulldisclosure/2016/Jan/29http://sourceforge.net/p/gdcm/gdcm/ci/e547b1ded3fd21e0b0ad149f13045aa12d4b9b7c/http://sourceforge.net/p/gdcm/mailman/message/34670701/http://sourceforge.net/p/gdcm/mailman/message/34687533/http://www.securityfocus.com/archive/1/537264/100/0/threadedhttps://www.exploit-db.com/exploits/39229/
2016-01-12
Published