CVE-2013-6825

Name of the Vulnerable Software and Affected Versions DCMTK versions 3.6.1 and earlier

Description The issue concerns a lack of validation for the return value of the setuid system call in various components of DCMTK. This allows local users to potentially gain privileges by creating a large number of processes. The affected components include movescu.cc, storescp.cc, scp.cc, wlmactmg.cc, dcmprscp.cc, dcmpsrcv.cc, msgserv.cc, and dcmqrscp.cc.

Recommendations For DCMTK versions 3.6.1 and earlier, consider restricting access to the setuid system call until a patch is available. As a temporary workaround, limit the ability of local users to create a large number of processes to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.