Vulnerabilities discovered by Cory Duplantis from Cisco Talos.


In April 2018, Talos published five vulnerabilities in Natus NeuroWorks software. We have also identified three additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices. Natus has released Neuroworks 8.5 GMA3 to address these issues. Talos recommends installing this update as quickly as possible on affected systems.


Denials Of Service

TALOS-2017-0354 (CVE-2017-2853) - Natus Xltek EEG NeuroWorks ItemList Deserialization Denial of Service Vulnerability

Upon reception of data, the application attempts to unserialize the passed data. It recognizes a variety of data types, two of which are a string and an itemlist. The header of the sent data contains the length of an itemlist; by sending an invalid length the application will crash, resulting in a denial of service.

More details can be found in the vulnerability report:


TALOS-2017-0362 (CVE-2017-2858) - Natus Xltek EEG NeuroWorks ItemList Traversal Denial of Service Vulnerability

Similar to the previous vulnerability, the application attempts on receipt of data to unserialize the data passed to it. If this data contains an empty itemlist, it will cause an access violation resulting in a denial of service in the application.

More details can be found in the vulnerability report:


TALOS-2017-0364 (CVE-2017-2860) - Natus Xltek EEG NeuroWorks Invalid KeyTree Entry Denial of Service Vulnerability

NeuroWorks handles a specific data structure named KeyTree. A KeyTree is a list of lists. The application assumes that the first element of a KeyTree is an ItemList. However, if the first element is a String data structure, a pointer can point to an invalid memory address, resulting in a denial of service condition.

More details can be found in the vulnerability report:


Tested Versions:

Natus Xltek NeuroWorks 8


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 43150,43192