Dear community,
Yesterday, CISA has released a security advisory about Orthanc. This advisory, to which we participated, is a good opportunity to remind you about the best practices in securing Orthanc since it seems that are still a bunch of Orthanc publicly sharing their data on the public internet.
Full story:
Orthanc’s lightweight design allows anyone to spin an Orthanc server quickly on his own PC to start playing with DICOM files. For this purpose, no authentication is enabled by default on the Rest API but, to keep the system secure, the Rest API is accessible only from the localhost. The remote access must be enabled explicitly in a configuration file.
Up to version 1.5.7, enabling the remote access was not automatically enabling the authentication. This was fixed in 1.5.8 that was released in October 2019 but no CVE was issued at that time so this advisory was published yesterday to trigger new interest on this issue.
As always, security is not only a matter of software but mainly a matter for people configuring the software so, even as of today with the latest 1.12.6 version, it is still possible to enable remote access and disable authentication because it makes perfect sense in some architectures were Orthanc is protected by other systems upfront.
Furthermore, even if you have upgraded Orthanc regularly, if you have been maintaining a configuration file for many years, there are chances that you have never updated the relevant configurations and your recent Orthanc might still be exposed.
TL;DR
So our recommendations to mitigate this issue:
- Upgrade to the latest version if possible.
- Even if you are using the latest version, if your Orthanc is exposed to the public internet, you must check your configuration file and check that
"AuthenticationEnabled"
is set totrue
if"RemoteAccessAllowed"
is set totrue
. As soon as the authentication and remote access are enabled, you should also make sure to have defined"RegisteredUsers"
with strong passwords.
Note that this issue has already been discussed 5 years ago in this topic so this is mainly a reminder.
Thanks for reading,
Alain.