Orthanc DICOM Server Memory Exhaustion Vulnerability via Unbounded Content-Length Header

A memory exhaustion vulnerability has been identified in Orthanc DICOM Server versions through 1.12.10. The issue arises in the HTTP server, which allocates memory based on the 'Content-Length' header value provided by the attacker, without enforcing any upper limit. This unbounded allocation can lead to excessive memory use and server termination, even if no request body is sent. The vulnerability stems from unsafe handling of HTTP headers, allowing for crafted requests that exploit this weakness.

Impact

Exploitation of this vulnerability causes excessive memory allocation, leading to server termination and denial-of-service conditions. The issue can be triggered with a small, crafted payload, causing the Orthanc process to crash. Additionally, this vulnerability could be combined with other issues in Orthanc that allow for memory corruption or out-of-bounds reads, potentially leading to more severe consequences such as arbitrary code execution.

Remediation

Users are advised to upgrade to Orthanc version 1.12.11, which addresses this vulnerability. After upgrading, administrators should review deployment configurations to limit exposure of upload and image processing functionality to trusted users and networks.