The DICOM Standards Organization DICOM File Preamble – Security Bulletin
Published: July 19, 2019
DICOM.org has reported the following Security Advisory:
VULNERABILITY SUMMARY
The DICOM Standards Organization has reported a data validation vulnerability in the preamble defined by the DICOM File format. According to this report, the vulnerability is exploitable by embedding executable code into the 128-byte preamble. A malicious actor could modify a DICOM file preamble so that it is treated as both an executable program and as a DICOM file. A user might be somehow convinced to execute the file.
Note:
The DICOM Network Communications protocol between modalities, PACS, and display systems does not transmit a preamble and is not subject to this vulnerability.
References:
DICOM FAQ Response to 128-byte preamble vulnerability
RESOLUTION
Review link provided above for details and vulnerability scenarios.
For Vital Images customers, always exercise caution by reviewing or AV (Antivirus) scanning the contents of any portable media (CDs, USBs, etc.) to determine that all files are legitimate DICOM files. Vital recommends that affected users reach out to their specific AV vendor to determine if their solution properly scans for the affected file type. In the situation where an AV solution cannot be installed, affected users should take steps to make sure that they have processes and procedures in place to scan portable/removable media for suspicious files before introducing the media into their medical networks.
Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.
If you have any questions, please contact Vital Customer Success.
CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability – Security Bulletin
Published: June 20, 2019
Microsoft® has provided the following Security Bulletin for the Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. BlueKeep) Vulnerability CVE-2019-0708:
VULNERABILITY SUMMARY
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.
References:
- CVE-2019-0708 – From the National Vulnerability Database
- CVE-2019-0708 – Microsoft Security Announcement
Only impacted versions are listed:
- Windows 7 for X64-based Systems Service Pack 1 for Vitrea 6.x and Vitrea 7.x
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 for Vitrea 6.x
RESOLUTION
Microsoft strongly recommends taking the Windows Update as soon as possible.
The required patches for all impacted versions can be found here.
Vital Images recommends taking the Microsoft Monthly Updates.
Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.
If you have any questions, please contact Vital Customer Success.
HPE Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers – Security Bulletin
Published: June 17, 2019
Hewlett Packard Enterprise has provided the following Security Bulletin:
VULNERABILITY SUMMARY
Vulnerabilities discovered in HPE Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers could be exploited remotely to allow Cross-Site Scripting (XSS), Unauthorized Data Injection, and Buffer Overflow.
References:
- CVE-2019-11982 – Cross-Site Scripting (XSS)
- CVE-2019-11983 – Buffer overflow in CLI
- CVE-2018-7117 – Cross-Site Scripting (XSS)
Only impacted versions are listed:
- HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers 1.39 and earlier
- HPE Integrated Lights-Out 4 (iLO 4) 2.61b and earlier
RESOLUTION
HPE has provided updated firmware for Integrated Lights-Out 4 (iLO 4) for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 to resolve these issues.
- For iLO 4 (GEN 9), acquire firmware version 2.70 (or later) here and install it
- For iLO 5 (GEN 10), acquire firmware version 1.40 (or later) here and install it
Hewlett Packard Enterprise strongly recommends the information in this Security Bulletin should be acted upon as soon as possible.
Vital Images recommends subscribing to the Hewlett Packard Enterprise Security Bulletins for future security updates.
Disclaimer: When following any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.
If you have any questions, please contact Vital Customer Success.
Microarchitectural Data Sampling (a.k.a. MDS, ZombieLoad, RIDL & Fallout) - Security Advisory
Published: June 3, 2019
HPE has provided the following Security Announcement:
On May 14, 2019, Intel and other industry partners shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling (MDS). These security vulnerabilities in CPUs may allow information disclosure. Intel is releasing microcode updates (MCU) to mitigate these potential vulnerabilities. These are coupled with corresponding updates to operating system and hypervisor software.
More details are available through CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, and the Intel Security Advisory.
Impact assessment for HPE Products is available here.
Additional details on HPE Support Center.
Disclaimer: If you follow the any of the links provided you will be leaving Vital Images’ website. Vital Images is not responsible for the content, security or availability of linked sites.
If you have any questions please contact Vital Customer Success.
Microsoft® Security Update (Out of Band)
CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability – Critical
Published: December 19, 2018
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.
For more details and a full list of affected systems, click here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653
If you have any questions please contact Customer Success.
Microsoft® Remote Desktop Services Security Update - Potential Compatibility Issue
Published: June 4, 2018
Microsoft has recently released a security update for a vulnerability in Remote Desktop Services(RDS). It has been reported that if two machines do not have the same RDS patch install level, an incompatibility issue between them can prevent log in.
This RDS update has been released through the standard Windows Update distribution channels and will be installed to those machines taking the standard monthly Windows Updates.
The RDS security update details are here:
CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886
Vital Images strongly recommends installing these latest security patches comprehensively to all product systems to avoid this issue.
If you have any questions, please contact Customer Success.
Microsoft® Security Update I Critical
CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability
CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability
Published: May 8, 2018
Microsoft has announced and released its standard monthly security roll-up for May 2018. In it are critical updates for two vulnerabilities that were considered zero-day status until this release. These two specific vulnerabilities are unique in that they are currently being exploited in the wild. In addition, it is noteworthy that there are twenty-one (21) other critical vulnerabilities remedied in this update. As a result, Vital Images strongly recommends to install these latest security patches to all product systems as soon as possible.
At this time no Vital Images customers have reported exploitations involving these two vulnerabilities.
For more details and a full list of affected systems, click here:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120
If you have any questions please contact Customer Success.
Microsoft® Security Update (Out of Band)
CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability
Published: March 29, 2018
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
For more details and a full list of affected systems, click here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038
If you have any questions please contact Customer Success.
Adobe Security Advisory APSA18-01
Published February 1, 2018
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.
A full summary containing current mitigations, affected products and plans for patching can be accessed here: https://helpx.adobe.com/security/products/flash-player/apsa18-01.html
Adobe will address this vulnerability in a release planned for the week of February 5.
For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Please refer to this Software Security Updates page for the latest information from Vital and contact Customer Success if you have any questions.
Customer Success Alert
Meltdown and Spectre Side-Channel Vulnerabilities
The United States Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, has released the following alert regarding the security vulnerabilities “Meltdown and Spectre.” The formal source for this alert is hosted here: US-CERT: Meltdown and Spectre Side-Channel Vulnerabilities.
Original release date: January 03, 2018
“US-CERT is aware of a set of security vulnerabilities – known as Meltdown and Spectre – that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
Users and administrators are encouraged to review Vulnerability Note VU#584653, Microsoft’s Advisory, and Mozilla’s blog post for additional information and refer to their OS vendor for appropriate patches.
US-CERT is not aware of any active exploitation at this time and will provide additional information as it becomes available.”
This is a broad-based set of vulnerabilities that requires security patching from many contributors (e.g., hardware vendors, Microsoft, VMWare, etc.) for complete remediation. The Intel chipsets that Vital’s software runs upon are directly affected by this finding.
US-CERT advises that the changes to accommodate/remediate this issue could impact one or more of our applications. As patches become available, we will test our applications in their context and provide our customers with any specific cautions or additional instruction.
Please refer to this Software Security Updates page for the latest information from Vital and contact Customer Success if you have any questions.
Microsoft® Security Advisory 4010323
Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11
Published: May 9, 2017
Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates. For more information, please see Windows Enforcement of SHA1 Certificates.
For more details and a full list of affected systems, click here: https://technet.microsoft.com/en-us/library/security/4010323
If you have any questions please contact Customer Success.
Microsoft® Security Bulletin (MS17-010) - Critical
Vital Images strongly recommends installing the latest security updates from Microsoft as soon as they are made available.
Vital Images recommends applying MS17-010 to all your Vitrea platforms to protect against the WannaCry malware.
- VitreaAdvanced / Vitrea® Advanced Visualization
- enterprise deployment
- Vitrea Workstation or workstation deployment
- Vitrea Extend or extend deployment
- Vitrea View
- Vitality XT
If you cannot download the Windows update the Workaround can also be found in the link below to protect the system(s).
For more information see the Microsoft Security Bulletin MS17-010 – Critical. If you have any questions please contact Customer Success.
Vitrea Advanced Running VMware Tools
| Version in NGC/C# Client | Version in Tools Info Screen | Result |
|---|---|---|
| 9541 | 9.10.5 – 2981885 | NOT RECOMMENDED |
| 10240 | 10.0.0 – 3000743 | NOT RECOMMENDED |
Vital Images recommends deploying a version of VMware Tools on Vitrea Advanced servers that does not result in this behavior. The table below shows the currently recommended versions.
| Version in NGC/C# Client | Version in Tools Info Screen | Result |
|---|---|---|
| 9536 | 9.10.0 – 2476743 | OK |
| 9537 | 9.10.1 – 2791197 | OK |
| 10245 | 10.0.5 – 3227872 | OK |
Adobe® Reader® for Windows®
Adobe has released a critical security bulletin and related security updates for Adobe Reader for Windows. Vital recommends users update their product installations to the latest versions.
- Users of Adobe Reader XI (11.0.20) and earlier versions should update to version 11.0.21.
- Users of Adobe Reader DC Classic (2015.006.30306) and earlier versions should update to version 2015.006.30352.
For more information, see the Adobe Security Bulletin released on January 10, 2017 and recently updated via CVE-2017-3124.
To upgrade Adobe Reader, downloads can be found here.
All third party marks are property of their respective owners and have protection in the United States and/or other countries.
Adobe® Flash® for Windows®
Adobe has released security updates for Adobe Flash for Windows. Vital recommends users who have installed Adobe Flash to view Help and Training videos update their product installations to the latest versions. Vital Images does not distribute Adobe Flash but it can be used with the Vital products.
- Users of the Adobe Flash Player for Windows should update to Adobe Flash Player 18.0.0.209.
For more information, see the Adobe Security Bulletin released on July 14, 2015. This vulnerability is also known as ActionScript 3 opaqueBackground and BitmapData classes of Flash Player Exploitation CVE-2015-5122, CVE-2015-5123.
If you wish to upgrade Adobe Flash the latest update downloads can be found here.
Microsoft® Windows® Update MS15-061 - KB3057839
Vital uncovered an issue with the Microsoft Windows Update MS15-061 – KB3057839 that was released on June 9, 2015. If this Microsoft Update is applied to the Microsoft operating system, Vitrea® reports will be blacked out when exported to a DICOM endpoint.
Vital is working directly with Microsoft to resolve the problem.
This patch affects all versions of Vitrea deployments on Windows Server® 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, and Windows 7 SP1.
Removing this Microsoft update or preventing this update’s installation will allow Vitrea reports to export as expected.
Vital Support
Please contact Vital Customer Support with any questions or variations experienced with this issue.
Microsoft Technical Information
Microsoft® 0 Day Patch
On April 26, 2014 Microsoft announced a high impact vulnerability that affects Internet Explorer versions 6 through 11. This vulnerability could allow remote code execution on any system that is using these versions of Internet Explorer. On May 1, Microsoft released a patch that fixes this exposure.
Vital has tested the patch to this vulnerability and confirmed that installing the patch does not negatively impact any Vitrea® products.
Vital strongly recommends that all organizations apply this patch as soon as possible to all systems running any Vitrea software.
References:
Microsoft Security Advisory 2963983 – https://technet.microsoft.com/library/security/2963983
National Vulnerability Database – http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1776
Heartbleed Virus
Vital has tested our Vitrea® software and confirmed that we are not affected by the Heartbleed virus.
If you have any questions on either of these issues, please call Vital Customer Support at support@vitalimages.com or 800.208.3005.
Microsoft®, Windows® and Microsoft Windows Server® are registered trademarks of Microsoft Corporation.
Adobe®, Flash® and Reader® are registered trademarks of Adobe Systems Incorporated.
Vital is a trademark of Vital Images, Inc. Marks not owned by Vital Images, Inc. are the property of their respective holders.