Orthanc DICOM Server Memory Exhaustion Vulnerability via Forged ZIP Metadata

A memory exhaustion vulnerability has been identified in Orthanc DICOM Server in versions through 1.12.10. This vulnerability arises during ZIP archive processing, where the server automatically extracts uploaded ZIP files and relies on metadata fields that describe the uncompressed size of the archived files. An attacker can create a small ZIP archive with a manipulated size value, leading the server to allocate excessively large buffers during extraction. This flaw causes the Orthanc process to terminate, creating a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the Orthanc server process to allocate excessive amounts of memory based on the forged ZIP metadata, leading to process termination and a denial-of-service condition. However, such memory exhaustion vulnerabilities can often be exploited with just a small, crafted payload, making them particularly concerning.

Remediation

Users are advised to upgrade to Orthanc version 1.12.11, which addresses this vulnerability. After upgrading, administrators should review deployment configurations to limit exposure of upload and image processing functionality to trusted users and networks.