Network Security, Network Security, Patch/Configuration Management, Vulnerability Management

Natus reportedly updates EEG device software to squash RCE, DoS bugs

Health care device manufacturer Natus Medical Incorporated has reportedly updated the software used in its Xltek EEG products, which monitors brain activity, after a researcher discovered five vulnerabilities that a remote, unauthenticated attacker could exploit to trigger code execution of a denial of service condition.

Discovered by Cisco Talos researcher Cory Duplantis, the bugs were all found in Natis NeuroWorks 8 software, and consist of the following:

  • A buffer overflow during the processing of a "RequestForPatientInfoEEGfile" command (CVE-2017-2853) that can result in remote code execution.
  • A lack of length verification that can cause a stack buffer overflow in the NewProducerStream (CVE-2017-2867), SavePatientMontage (CVE-2017-2867) and OpenProducer (CVE-2017-2869) functionalities, ultimately resulting in remote code execution.
  • A denial of service condition that results from parsing errors related to the "NewProducerStream" command.

Natus released Neuroworks 8.5 GMA2 to fix the above problems. 

"Medical devices such as Natus Xltek EEG are a convenient tool for collecting and recording complex data relating to patients' state of health. However, this captured clinical data is only as reliable as the platform on which it is collected," states an Apr. 4 blog post from Talos. "If the system collecting the data is liable to be compromised, then the care of the patients will also be compromised."

On Thursday, Trend Micro and the Health Information Trust Alliance (HITRUST) released a new report, "Securing Connected Hospitals," that examples the risks related to exposed medical systems and health care supply chain attacks.

A threat modeling exercise conducted as part of the report looked at six cyberattack vectors -- spear phishing, distributed denial of service (DDoS), vulnerability exploitation, malware infection, privilege escalation and misuse, and data manipulation -- that are most likely to be used against medical devices and other health care systems.

For the medical devices Trend Micro and HITRUST assessed, potential DDoS attacks represented the greatest threat, and were classified as high risk. Malware infection, privilege escalation and vulnerability exploitation were ranked as medium risks, in that specific order.

SC Media has reached out to Natus for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.