CVE-2024-23622 Overview
A critical stack-based buffer overflow vulnerability has been identified in the IBM Merge Healthcare eFilm Workstation license server. This vulnerability allows a remote, unauthenticated attacker to exploit the buffer overflow condition to achieve remote code execution with SYSTEM privileges on affected systems. The eFilm Workstation is commonly deployed in healthcare environments for medical imaging workflows, making this vulnerability particularly concerning for healthcare organizations.
Critical Impact
Unauthenticated remote attackers can exploit this vulnerability to execute arbitrary code with SYSTEM-level privileges, potentially leading to complete system compromise, data exfiltration, and lateral movement within healthcare networks.
Affected Products
- IBM Merge eFilm Workstation (all versions)
- IBM Merge Healthcare eFilm Workstation License Server component
Discovery Timeline
- 2024-01-25 - Vulnerability analysis published by Exodus Intelligence
- 2024-01-26 - CVE CVE-2024-23622 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23622
Vulnerability Analysis
This vulnerability is classified under CWE-131 (Incorrect Calculation of Buffer Size) and CWE-787 (Out-of-Bounds Write). The root cause lies in improper memory allocation and boundary checking within the license server component of the eFilm Workstation software. When processing certain requests, the server fails to properly validate the size of incoming data before copying it to a fixed-size stack buffer, resulting in a classic stack-based buffer overflow condition.
The vulnerability is particularly severe because it requires no authentication, can be exploited remotely over the network, and results in code execution with the highest system privileges. Healthcare imaging workstations often contain sensitive patient data and are connected to clinical networks, amplifying the potential impact of successful exploitation.
Root Cause
The vulnerability stems from an incorrect calculation of buffer size combined with an out-of-bounds write condition in the CopySLS_Request3 function within the license server. When handling specially crafted requests, the function fails to properly validate input length before performing memory copy operations. This allows attacker-controlled data to overflow the stack buffer, overwriting adjacent memory including return addresses and potentially other critical control structures.
Attack Vector
The attack vector is network-based and requires no user interaction or authentication. An attacker can send a specially crafted request to the license server's listening port, triggering the buffer overflow. By carefully crafting the overflow payload, the attacker can overwrite the return address on the stack to redirect execution to attacker-controlled code or leverage existing code gadgets (ROP chains) to achieve arbitrary code execution.
The vulnerability affects the CopySLS_Request3 function in the license server component. When an oversized request is received, the function copies user-supplied data into a fixed-size stack buffer without proper bounds checking. This allows the attacker to corrupt stack memory and gain control of program execution flow. For detailed technical analysis, refer to the Exodus Intelligence analysis.
Detection Methods for CVE-2024-23622
Indicators of Compromise
- Unusual network traffic to the eFilm Workstation license server port from external or unexpected sources
- Unexpected child processes spawned by the license server process
- Anomalous system calls or memory access patterns originating from the license server
- Evidence of SYSTEM-level process execution following license server network activity
Detection Strategies
- Monitor network traffic for malformed or oversized requests targeting the eFilm license server
- Deploy endpoint detection rules to identify stack-based buffer overflow exploitation patterns
- Implement behavioral analysis to detect unusual process spawning from the license server component
- Use memory protection tools to detect stack corruption attempts
Monitoring Recommendations
- Enable verbose logging on the eFilm Workstation license server if available
- Monitor system event logs for unexpected service crashes or restarts of the license server
- Implement network segmentation and log all traffic to/from medical imaging workstations
- Deploy SentinelOne agents on eFilm Workstations for real-time behavioral monitoring and exploit detection
How to Mitigate CVE-2024-23622
Immediate Actions Required
- Isolate affected IBM Merge eFilm Workstations from untrusted networks where possible
- Implement network segmentation to restrict access to the license server port to only authorized systems
- Deploy firewall rules to block external access to the license server component
- Monitor affected systems for signs of exploitation using SentinelOne or equivalent EDR solutions
Patch Information
Contact IBM for security updates and patch availability for the Merge eFilm Workstation. Organizations should prioritize patching this vulnerability given its critical severity and the potential for unauthenticated remote code execution. Until patches are applied, implement network-based mitigations to reduce exposure.
Workarounds
- Implement strict network access controls to limit connectivity to the license server to only authorized internal systems
- Deploy host-based firewalls on eFilm Workstations to restrict inbound connections to the license server
- Consider disabling the license server component if not actively required for operations
- Enable enhanced monitoring and behavioral detection on affected systems using SentinelOne Singularity platform
# Example: Block external access to license server port using Windows Firewall
netsh advfirewall firewall add rule name="Block External eFilm License Server Access" dir=in action=block protocol=tcp localport=<LICENSE_SERVER_PORT> remoteip=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
