Critical remote code execution vulnerabilities impact Natus medical devices

The bugs could be used to tamper with data and compromise patient care.

A set of critical vulnerabilities have been uncovered in Natus NeuroWorks software which may place medical devices connecting to the software at risk.

On Wednesday, researchers from Cisco Talos said in a blog post that the vulnerabilities could not only cause services to crash but may also allow attackers to remotely execute code on medical devices.

Natus NeuroWorks software is used by Natus Xltek EEG medical products developed by Natus Medical Inc.

The firm's electroencephalogram (EEG) offerings are described as "leading-edge features you want in critical care." The systems include amplifier ports compatible with USB and TCP/IP cables, while the NeuroWorks software connects to monitoring equipment to record data in SQL databases.

In total, five vulnerabilities were covered in Natus Xltek NeuroWorks 8, four of which allow remote code execution, and one results in a denial-of-service crash on medical devices.

All of the bugs can be triggered remotely without authentication.

The first vulnerability, CVE-2017-2853, occurs when the application attempts to open an EEG file based on a path requested by the client. This causes a buffer overflow error which can be exploited by attackers to remotely execute code.

The second bug, CVE-2017-2867, is located in the SavePatientMontage functionality of the software. There is a lack of verification of the Data.Name values send in requests for the SavePatientMontage command, which can be exploited with crafted network packers to cause a stack buffer overflow, leading to code execution.

The third bug, CVE-2017-2868, was discovered in the NewProducerStream functionality of NeuroWorks 8. There is a list of data structures in the software named "KeyTree," and the security flaw is present in the parsing of this structure as there is a lack of verification in certain strings.

If there is a large string, this may lead to buffer overflow, of which a crafted network packet could be utilized to exploit in order to remotely execute code.

The fourth security flaw, CVE-2017-2869, is located in the OpenProducer functionality of the software. In a similar way to the previous bug, a large string results in a stack buffer overflow, resulting in code execution.

"As with the previous vulnerability, the overwritten memory contains the exception handlers, which allows an attacker to take control of execution of the program," the researchers note.

The final bug may not result in code execution but can be just as dangerous for patients. CVE-2017-2861 is also present in the NewProducerStream command, and when KeyTree parsing errors occur, a value of -1 is returned.

This, in turn, causes an access violation, resulting in denial-of-service.

See also: Cyberattack disrupted Baltimore emergency responders

"Health care organizations should be aware of the risks of vulnerabilities such as these within their medical devices," Talos says. "Vulnerable systems should be patched to the latest software versions provided by the manufacturer. Networks to which potentially vulnerable systems are connected should be secured to be resistant against attack."

"Any malicious activity needs to detected, blocked and the source of the activity remediated in order to prevent serious harm being incurred by organizations, and most importantly prevent harm being inflicted on patients," the company added.

Cisco Talos reported its findings to Natus, which has now developed patches and a firmware update, Neuroworks 8.5 GMA2, which resolves the vulnerabilities.

Given how devastating malicious tampering with medical devices can be for patients and medical institutions alike, users of Natus products are requested to update their systems as quickly as possible.

Previous and related coverage