DCMTK Null Pointer Dereference Vulnerability in DICOM Query/Retrieve SCP Component

A null pointer dereference vulnerability has been identified in DCMTK versions through 3.6.7, specifically within the DICOM Query/Retrieve SCP component. The issue arises in the function DcmQueryRetrieveConfig::readPeerList, located in the file dcmqrcnf.cc. When the application processes a malformed configuration file that lacks proper HostTable or AETable structure, the function attempts to dereference an uninitialized pointer, leading to a segmentation fault. This vulnerability causes a denial-of-service condition by crashing the DICOM service, and can be exploited locally using a crafted configuration file.

Impact

Exploitation of this vulnerability causes the DICOM Query/Retrieve SCP service to crash, creating a denial-of-service condition. This could disrupt automated imaging processes or medical servers that rely on parsing configuration files from untrusted sources.

Reproduction

The vulnerability can be reproduced by compiling DCMTK version 3.6.5 (or a relevant vulnerable version) with AddressSanitizer enabled. After building the application, replace the default configuration file used by the dcmqrscp server with a crafted file that introduces the null pointer dereference condition. When the server is started, it will immediately crash due to the unhandled null pointer dereference, which can be verified with the AddressSanitizer error log.

Remediation

Upgrading to DCMTK version 3.6.8 resolves this vulnerability. The patch can be applied by updating to this version.