DCMTK (DICOM ToolKit) is an open-source collection of libraries and applications to deal with DICOM (Digital Imaging and Communications in Medicine) images and data. The library is widely used in the medical imaging field for the communication, management, and processing of medical images and metadata.
However, a critical NULL pointer dereference vulnerability was recently discovered in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV. The vulnerability, assigned CVE-2025-25475, allows attackers to cause a Denial of Service (DoS) by exploiting this vulnerability via a specifically crafted DICOM file. In this long-read post, we will dive into the details of the vulnerability, its exploitation, and ways to mitigate its effects.
Vulnerability Details
The NULL pointer dereference vulnerability exists in the component dcrleccd.cc of the DCMTK library. The function in question is responsible for decoding the Run Length Encoding (RLE) compression of the DICOM images.
The vulnerable code snippet is as follows
int DcrlecCodec:decode(
const void *inputBuffer,
size_t length,
void *outputBuffer)
{
unsigned char *output = (unsigned char *) outputBuffer;
unsigned char byte;
...
while (input < end)
{
byte = *input++; // Read byte from the input buffer
if (byte)
{
... // Handle non-zero byte
}
else
{
...
if (input == end) return; // Check for NULL pointer dereference
output++; // Increment output pointer
...
}
}
...
}
The vulnerability occurs when the input buffer contains a zero-byte, which, under certain conditions, can trigger a NULL pointer dereference in the output++ statement. This can potentially cause a crash in the application using the DCMTK library and lead to a Denial of Service (DoS) situation.
Exploit Details
An attacker can exploit this vulnerability by crafting a malicious DICOM file containing a specific set of bytes to trigger the NULL dereference, causing the application to crash.
An example of a crafted DICOM file structure is as follows
...
(2) RLE Data Sequence
(3) Item: RLE Compressed Image Segment
(4) RLE Compression Data
- Zero byte
- Valid RLE encoded pixel data
- Zero byte
...
When this crafted DICOM file is parsed and decoded by an application using the DCMTK library, it triggers the NULL pointer dereference and crashes the application, potentially causing a Denial of Service (DoS) situation.
Mitigation and Recommendations
To mitigate this vulnerability, users of the DCMTK library should apply the official patch provided by the developers and update their DCMTK installations to the latest version.
The patch can be found at the following link
Alternative mitigations include
1. Validating the input DICOM files before processing them with the DCMTK library, ensuring that they do not contain any maliciously crafted data structures.
2. Implementing and enforcing rigorous input validation and sanitization processes in applications that use DCMTK to process DICOM files.
3. Using alternative libraries or tools for handling DICOM images that may not be affected by this vulnerability.
Conclusion
This NULL pointer dereference vulnerability in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV poses a serious threat to applications that use the library for handling DICOM images. Attackers can exploit this vulnerability to cause a Denial of Service (DoS) situation by crafting malicious DICOM files. It is imperative that users of the library take the necessary steps to update their installations, apply the provided patch, and implement proper input validation processes to mitigate this threat.
Timeline
Published on: 02/18/2025 23:15:10 UTC
Last modified on: 02/20/2025 22:15:31 UTC