Share this article on:
ICS-CERT has issued an advisory following the discovery of eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software used in Natus Xltek EEG medical products.
If the vulnerabilities are successfully exploited they could allow a malicious actor to crash a vulnerable device or trigger a buffer overflow condition that would allow remote code execution.
All eight vulnerabilities have been assigned a CVSS v3 score above 7.0 and are rated high. Three of the vulnerabilities – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been assigned a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been assigned a base score of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – given a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read vulnerabilities.
CVE-2017-2853 would allow an attacker to cause a buffer overflow by sending a specially crafted packet to an affected product while the product attempts to open a file requested by the client.
CVE-2017-2868 and CVE-2017-2869 relate to flaws in how the program parses data structures. Exploitation would allow an attacker to trigger a buffer overflow and execute arbitrary code, allowing the attacker to take full control of the affected system.
The vulnerabilities were discovered by security researcher Cory Duplantis from Cisco Talos who reported them to Natus. Natus took immediate action and has now released an updated version of its software which corrects all of the flaws.
To date there have been no reported instances of the vulnerabilities being exploited in the wild, and no public exploits for the vulnerabilities are known. Natus recommends all users of the vulnerable software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as soon as possible.
The update is available free of charge for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support department should be contacted for further information.
In addition to updating to the latest version of the software, organizations can take further steps to limit the potential for zero-day vulnerabilities to be exploited.
The National Cybersecurity & Communications Integration Center (NCCIC) recommends minimizing network exposure for all control systems and devices and ensuring they are not accessible over the Internet. Control systems and remote devices should be located behind firewalls and should be isolated from the business network. If remote access is necessary, secure methods should be used to connect, such as Virtual Private Networks (VPNs), which should be kept up to date.