Vulnerabilities Discovered in Natus Xltek NeuroWorks Software Leads to Official Warnings

by | Jun 28, 2018

ICS-CERT has released a warning after identifying eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software implemented in Natus Xltek EEG medical products.

If the weaknesses are successfully exploited they could allow a hacker to crash a vulnerable device or trigger a buffer overflow condition that would permit remote code execution.

All eight vulnerabilities have been given a CVSS v3 score above 7.0 and are rated high.  Three of the weaknesses – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been given a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been given a base rating of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – designated a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read flaws.

CVE-2017-2853 would permit a hacker to create buffer overflow by sending a specially crafted packet to an impacted product while the product tries to open a file requested by the client.

CVE-2017-2868 and CVE-2017-2869 refer to flaws in how the program parses data structures. Exploitation would permit a hacker to trigger a buffer overflow and execute arbitrary code, allowing the hacker to take complete control of the affected system.

The flaws were identified by security researcher Cory Duplantis from Cisco Talos who reported them to Natus. Natus took swift action and has now released an updated version of its software which remedies all of the weaknesses.

So far there have been no reported cases of the vulnerabilities being exploited in the wild, and no public exploits for the vulnerabilities have been seen. Natus recommends all users of the vulnerable software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as soon as they can.

The update is available for free for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support department should be contacted for further details.

Along with updating to the latest version of the software, organizations can take additional steps to restrict the potential for zero-day vulnerabilities to be targeted.

The National Cybersecurity & Communications Integration Center (NCCIC) recommends limiting network exposure for all control systems and devices and ensuring they are not accessible online. Control systems and remote devices should be placed behind firewalls and should be isolated from the business network. If remote access is required, secure methods should be implemented to connect, such as Virtual Private Networks (VPNs), which should be constantly updated.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy