An issue was identified in MIM versions 7.2.10 and 7.3.3 that allows for an attacker to execute an external entity attack (XXE) by embedding certain malicious XML documents into specific DICOM RT object tags.
In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RT object metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data by either automated Assistant response or user action.
Referenced Common Weakness Enumerations:
Affected Products and Services:
MIM Client Application
Only 7.2.10 and 7.3.3.
Primary Recommendation: Customers on an affected version are encouraged to upgrade to 7.2.11 or 7.3.4 as soon as reasonably possible.
Temporary/Tertiary Mitigation: Do not run MIM’s DICOM Store Service in promiscuous mode to prevent unauthorized DICOM nodes on your network from transferring malicious DICOM data to MIM applications or services. Ensure that all MIM Pacs remote patient lists on your network require authorization for write access.
This vulnerability was discovered by MIM Software's internal security testing team.