Vulnerabilities discovered by Cory Duplantis from Talos.

Overview

Talos has discovered multiple vulnerabilities in Natus NeuroWorks software. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks.

We identified a number of vulnerabilities falling into two classes:

  • Four code execution vulnerabilities
  • One denial of service vulnerability.

The first category allows code execution on the medical device through a specially crafted network packet. The second category can cause the vulnerable service to crash. The vulnerabilities can be triggered remotely without authentication.

Discussion

Clinicians rely on accurate clinical data in order to decide what is the most appropriate care for their patients. Medical devices such as Natus Xltek EEG are a convenient tool for collecting and recording complex data relating to patients' state of health.

However, this captured clinical data is only as reliable as the platform on which it is collected. If the system collecting the data is liable to be compromised, then the care of the patients will also be compromised.

Vulnerable systems are searched for by attackers as points of ingress and persistence within computer networks. A vulnerable system can be compromised by threat actors, used to conduct reconnaissance on the network, and as a platform from which further attacks can be launched.

We have observed threat actors targeting the health care sector as a lucrative source of funds from ransomware attacks. Similarly, malicious groups and individuals may use compromised devices as means to access and breach confidential health care records.

Health care organisations should be aware of the risks of vulnerabilities such as these within their medical devices. Vulnerable systems should be patched to the latest software versions provided by the manufacturer. Networks to which potentially vulnerable systems are connected should be secured to be resistant against attack. Any malicious activity needs to detected, blocked and the source of the activity remediated in order to prevent serious harm being incurred by organisations, and most importantly prevent harm being inflicted on patients.

Details

Code Execution

TALOS-2017-0355 (CVE-2017-2853) - Natus Xltek EEG NeuroWorks RequestForPatientInfoEEGfile Code Execution Vulnerability

During the processing of the "RequestForPatientInfoEEGfile" command, the application attempts to open an EEG file based on a path requested by the client. A buffer overflow exists during the construction of the path. This vulnerability allows an attacker to remotely execute code on the Natus Xltek.

More details can be found in the vulnerability report:

TALOS-2017-0355

TALOS-2017-0373 (CVE-2017-2867) - Natus Xltek EEG NeuroWorks SavePatientMontage Code Execution Vulnerability

This vulnerability is located in the SavePatientMontage functionality of Natus Xltek NeuroWorks 8. The vulnerability is due to a lack of verification of the length of "Data.Name" values sent in requests containing the "SavePatientMontage" command. A specially crafted network packet can cause a stack buffer overflow resulting in code execution.

More details can be found in the vulnerability report:

TALOS-2017-0373

TALOS-2017-0374 (CVE-2017-2868) - Natus Xltek EEG NeuroWorks NewProducerStream Code Execution Vulnerability

This vulnerability is located in the NewProducerStream functionality of Natus Xltek NeuroWorks 8. NeuroWorks maintains a list of lists data structure named "KeyTree." The vulnerability is located in the parsing of this structure. There is a lack of verification of the lengths of SlowReviewLocalPath strings which are used as a key value in KeyTree. A large string can result in a buffer overflow. Hence, a specially crafted network packet can cause a stack buffer overflow resulting in code execution.

More details can be found in the vulnerability report:

TALOS-2017-0374

TALOS-2017-0375 (CVE-2017-2869) - Natus Xltek EEG NeuroWorks OpenProducer Code Execution Vulnerability

This vulnerability is located in the OpenProducer functionality of Natus Xltek NeuroWorks 8. Similar to the previous vulnerability, the issue lies in the length checking of SlowReviewLocalPath strings, which are used as keys in KeyTree structures. A large string results in a stack buffer overflow. A specially crafted network packet can cause a stack buffer overflow, resulting in code execution. As with the previous vulnerability, the overwritten memory contains the exception handlers, which allows an attacker to take control of execution of the program.

More details can be found in the vulnerability report:

TALOS-2017-0375

Denial Of Service

TALOS-2017-0365 (CVE-2017-2861) - Natus Xltek EEG NeuroWorks NewProducerStream Use of Return Value Denial of Service Vulnerability

During the processing of the "NewProducerStream" command, a "KeyTree" (as described in the previous vulnerability) data structure is expected. If there is an error in the parsing of the KeyTree, the return value would be "-1." The return value causes an access violation, resulting in a denial of service.

More details can be found in the vulnerability report:

TALOS-2017-0365

Tested Versions:

Natus Xltek NeuroWorks 8

Conclusion

In accordance with our coordinated disclosure policy, Talos has worked with Natus to ensure that these issues have been resolved and that a firmware update is made available for affected customers. Several of these vulnerabilities could allow a remote attacker to execute arbitrary code on affected devices. Given the role these devices play and the environments in which they are typically deployed, it is highly recommended that they be evaluated and addressed by organizations as quickly as possible. Natus has released Neuroworks 8.5 GMA2 to address these issues. Talos recommends installing this update as quickly as possible on affected systems.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43518, 43489