CVE-2018-25142

NovaRad · NovaPACS Diagnostics Viewer

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in the XML preference import settings.

Executive summary

An unauthenticated XXE injection vulnerability in NovaRad NovaPACS Diagnostics Viewer allows attackers to retrieve sensitive system files, posing a critical risk to data confidentiality.

Vulnerability

This is an XML External Entity (XXE) injection vulnerability located in the XML preference import settings. It allows an unauthenticated attacker to inject malicious DTD parameter entities into an XML file to retrieve arbitrary files from the host system via out-of-band communication.

Business impact

The CVSS score of 9.8 underscores the severity of this vulnerability, as it allows for the unauthorized exfiltration of sensitive system files. In a clinical or diagnostic environment, this could lead to the exposure of Protected Health Information (PHI) or system configuration data, resulting in severe regulatory and operational consequences.

Remediation

Immediate Action: Update the NovaRad NovaPACS Diagnostics Viewer to the latest version that mitigates XXE injection risks.

Proactive Monitoring: Monitor for anomalous outbound network traffic from the PACS server, which could indicate exfiltration attempts via out-of-band channels.

Compensating Controls: Implement strict file validation for any XML inputs and disable the processing of external entities in the XML parser configuration if a patch cannot be immediately applied.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the potential for unauthorized file access, this vulnerability must be treated with extreme urgency. Administrators should update the software immediately and restrict access to the XML import features to trusted users only until the patch is successfully deployed.