Thursday, May 31, 2018

Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites

Vulnerabilities discovered by Cory Duplantis from Talos

Overview


In April 2018, Talos published 5 vulnerabilities in Natus NeuroWorks software. We have also identified 3 additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices. Natus has released Neuroworks 8.5 GMA3 to address these issues. Talos recommends installing this update as quickly as possible on affected systems.



Details


Denials Of Service


TALOS-2017-0354 (CVE-2017-2853) - Natus Xltek EEG NeuroWorks ItemList Deserialization Denial of Service Vulnerability


Upon reception of data, the application attempts to unserialize the passed data. It recognizes a variety of data types, two of which are a string and an itemlist. The header of the sent data contains the length of an itemlist; by sending an invalid length the application will crash, resulting in a denial of service.

More details can be found in the vulnerability report:

TALOS-2017-0354

TALOS-2017-0362 (CVE-2017-2858) - Natus Xltek EEG NeuroWorks ItemList Traversal Denial of Service Vulnerability


Similar to the previous vulnerability, the application attempts on receipt of data to unserialize the data passed to it. If this data contains an empty itemlist, it will cause an access violation resulting in a denial of service in the application.

More details can be found in the vulnerability report:

TALOS-2017-0362

TALOS-2017-0364 (CVE-2017-2860) - Natus Xltek EEG NeuroWorks Invalid KeyTree Entry Denial of Service Vulnerability


NeuroWorks handles a specific data structure named KeyTree. A KeyTree is a list of lists. The application assumes that the first element of a KeyTree is an ItemList. However, if the first element is a String data structure, a pointer can point to an invalid memory address, resulting in a denial of service condition.

More details can be found in the vulnerability report:

TALOS-2017-0364

Tested Versions:


Natus Xltek NeuroWorks 8

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43150,43192

No comments:

Post a Comment