Vulnerabilities Discovered in Natus Xltek NeuroWorks Software Leads to Official Warnings

ICS-CERT has released a warning after identifying eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software implemented in Natus Xltek EEG medical products.

If the weaknesses are successfully exploited they could allow a hacker to crash a vulnerable device or trigger a buffer overflow condition that would permit remote code execution.

All eight vulnerabilities have been given a CVSS v3 score above 7.0 and are rated high.  Three of the weaknesses – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been given a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been given a base rating of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – designated a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read flaws.

CVE-2017-2853 would permit a hacker to create buffer overflow by sending a specially crafted packet to an impacted product while the product tries to open a file requested by the client.

CVE-2017-2868 and CVE-2017-2869 refer to flaws in how the program parses data structures. Exploitation would permit a hacker to trigger a buffer overflow and execute arbitrary code, allowing the hacker to take complete control of the affected system.

The flaws were identified by security researcher Cory Duplantis from Cisco Talos who reported them to Natus. Natus took swift action and has now released an updated version of its software which remedies all of the weaknesses.

So far there have been no reported cases of the vulnerabilities being exploited in the wild, and no public exploits for the vulnerabilities have been seen. Natus recommends all users of the vulnerable software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as soon as they can.

The update is available for free for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support department should be contacted for further details.

Along with updating to the latest version of the software, organizations can take additional steps to restrict the potential for zero-day vulnerabilities to be targeted.

The National Cybersecurity & Communications Integration Center (NCCIC) recommends limiting network exposure for all control systems and devices and ensuring they are not accessible online. Control systems and remote devices should be placed behind firewalls and should be isolated from the business network. If remote access is required, secure methods should be implemented to connect, such as Virtual Private Networks (VPNs), which should be constantly updated.