CVE-2018-25142
NovaRad · NovaPACS Diagnostics Viewer
NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in the XML preference import settings.
Executive summary
An unauthenticated XXE injection vulnerability in NovaRad NovaPACS Diagnostics Viewer allows attackers to retrieve sensitive system files, posing a critical risk to data confidentiality.
Vulnerability
This is an XML External Entity (XXE) injection vulnerability located in the XML preference import settings. It allows an unauthenticated attacker to inject malicious DTD parameter entities into an XML file to retrieve arbitrary files from the host system via out-of-band communication.
Business impact
The CVSS score of 9.8 underscores the severity of this vulnerability, as it allows for the unauthorized exfiltration of sensitive system files. In a clinical or diagnostic environment, this could lead to the exposure of Protected Health Information (PHI) or system configuration data, resulting in severe regulatory and operational consequences.
Remediation
Immediate Action: Update the NovaRad NovaPACS Diagnostics Viewer to the latest version that mitigates XXE injection risks.
Proactive Monitoring: Monitor for anomalous outbound network traffic from the PACS server, which could indicate exfiltration attempts via out-of-band channels.
Compensating Controls: Implement strict file validation for any XML inputs and disable the processing of external entities in the XML parser configuration if a patch cannot be immediately applied.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Given the potential for unauthorized file access, this vulnerability must be treated with extreme urgency. Administrators should update the software immediately and restrict access to the XML import features to trusted users only until the patch is successfully deployed.