Natus reportedly updates EEG device software to squash RCE, DoS bugs

Health care device manufacturer Natus Medical Incorporated has reportedly updated the software used in its Xltek EEG products, which monitors brain activity, after a researcher discovered five vulnerabilities that a remote, unauthenticated attacker could exploit to trigger code execution of a denial of service condition.

Discovered by Cisco Talos researcher Cory Duplantis, the bugs were all found in Natis NeuroWorks 8 software, and consist of the following:

A buffer overflow during the processing of a "RequestForPatientInfoEEGfile" command (CVE-2017-2853) that can result in remote code execution.

A lack of length verification that can cause a stack buffer overflow in the NewProducerStream (CVE-2017-2867), SavePatientMontage (CVE-2017-2867) and OpenProducer (CVE-2017-2869) functionalities, ultimately resulting in remote code execution.

A denial of service condition that results from parsing errors related to the "NewProducerStream" command.