Health care device manufacturer Natus Medical Incorporated has reportedly updated the software used in its Xltek EEG products, which monitors brain activity, after a researcher discovered five vulnerabilities that a remote, unauthenticated attacker could exploit to trigger code execution of a denial of service condition.
Discovered by Cisco Talos researcher Cory Duplantis, the bugs were all found in Natis NeuroWorks 8 software, and consist of the following:
- A buffer overflow during the processing of a “RequestForPatientInfoEEGfile” command (CVE-2017-2853) that can result in remote code execution.
- A lack of length verification that can cause a stack buffer overflow in the NewProducerStream (CVE-2017-2867), SavePatientMontage (CVE-2017-2867) and OpenProducer (CVE-2017-2869) functionalities, ultimately resulting in remote code execution.
- A denial of service condition that results from parsing errors related to the “NewProducerStream” command.
Natus released Neuroworks 8.5 GMA2 to fix the above problems.
“Medical devices such as Natus Xltek EEG are a convenient tool for collecting and recording complex data relating to patients’ state of health. However, this captured clinical data is only as reliable as the platform on which it is collected,” states an Apr. 4 blog post from Talos. “If the system collecting the data is liable to be compromised, then the care of the patients will also be compromised.”
On Thursday, Trend Micro and the Health Information Trust Alliance (HITRUST) released a new report, “Securing Connected Hospitals,” that examples the risks related to exposed medical systems and health care supply chain attacks.
A threat modeling exercise conducted as part of the report looked at six cyberattack vectors — spear phishing, distributed denial of service (DDoS), vulnerability exploitation, malware infection, privilege escalation and misuse, and data manipulation — that are most likely to be used against medical devices and other health care systems.
For the medical devices Trend Micro and HITRUST assessed, potential DDoS attacks represented the greatest threat, and were classified as high risk. Malware infection, privilege escalation and vulnerability exploitation were ranked as medium risks, in that specific order.
SC Media has reached out to Natus for comment.