Vulnerabilities Discovered in Natus Xltek NeuroWorks Software Leads to Official Warnings

by Ryan Coyne | Jun 28, 2018

ICS-CERT has released a warning after identifying eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software implemented in Natus Xltek EEG medical products.

If the weaknesses are successfully exploited they could allow a hacker to crash a vulnerable device or trigger a buffer overflow condition that would permit remote code execution.

All eight vulnerabilities have been given a CVSS v3 score above 7.0 and are rated high. Three of the weaknesses – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been given a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been given a base rating of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – designated a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read flaws.

CVE-2017-2853 would permit a hacker to create buffer overflow by sending a specially crafted packet to an impacted product while the product tries to open a file requested by the client.

CVE-2017-2868 and CVE-2017-2869 refer to flaws in how the program parses data structures. Exploitation would permit a hacker to trigger a buffer overflow and execute arbitrary code, allowing the hacker to take complete control of the affected system.

The flaws were identified by security researcher Cory Duplantis from Cisco Talos who reported them to Natus. Natus took swift action and has now released an updated version of its software which remedies all of the weaknesses.

So far there have been no reported cases of the vulnerabilities being exploited in the wild, and no public exploits for the vulnerabilities have been seen. Natus recommends all users of the vulnerable software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as soon as they can.

The update is available for free for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support department should be contacted for further details.

Along with updating to the latest version of the software, organizations can take additional steps to restrict the potential for zero-day vulnerabilities to be targeted.

The National Cybersecurity & Communications Integration Center (NCCIC) recommends limiting network exposure for all control systems and devices and ensuring they are not accessible online. Control systems and remote devices should be placed behind firewalls and should be isolated from the business network. If remote access is required, secure methods should be implemented to connect, such as Virtual Private Networks (VPNs), which should be constantly updated.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter