Horizon Alert
Summary of the vulnerability and why it matters
This advisory addresses a critical vulnerability in PACSgear MediaWriter, a component used in medical imaging software. The issue allows unauthenticated remote attackers to potentially execute code with system-level privileges by exploiting an unprotected network service. While the vulnerability is severe, its practical impact depends on the specific network deployment and whether the affected service is accessible externally.
- Unprotected network service allows remote code execution.
- Critical risk if the service is accessible externally.
- Confirm relevance and assess exposure to internal systems.
Attack Path
How an attacker could exploit the issue
An attacker can initiate an attack by finding an exposed .NET Remoting TCP service on port 9000. This service, part of the PACSgear MediaWriter, does not require authentication and allows for arbitrary file read and write operations on the host. By combining this with a known DLL hijacking vulnerability in the service, an attacker can achieve code execution with SYSTEM privileges after the service restarts.
- Network access to the service is required.
- The vulnerability is triggered by interacting with the .NET Remoting service.
- Risk includes unauthenticated remote code execution as SYSTEM.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability allows unauthenticated remote attackers to read and write arbitrary files on the host system when the PACSgear MediaWriter service is running. Exploiting this could lead to system compromise if the service is configured to load missing DLLs from the application directory, enabling remote code execution as SYSTEM.
- Arbitrary file read/write access on host.
- Network access to unauthenticated service.
- Remote code execution as SYSTEM.
Operational Fix
Recommended remediation, mitigation, and detection steps
Attackers can achieve unauthenticated remote code execution as SYSTEM by exploiting a .NET Remoting TCP service in PACSgear MediaWriter. Initial actions should focus on identifying all instances of the affected technology, confirming exposure and business criticality, and locating the accountable owner to plan risk-based remediation.
- Identify and confirm affected systems.
- Verify exposure and business criticality.
- Plan remediation with accountable owners.