Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server

A code weakness in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS) has been discovered. The flaw could be remotely exploited allowing an attacker to obtain administrator level privileges and remotely execute code.

The Qualcomm Life Capsule’s Datacaptor Terminal Server is a medical gateway device used by many U.S. hospitals to network their medical devices. The Datacaptor Terminal Server is used to connect respirators, bedside monitors, infusion pumps and other medical devices to the network. The Datacaptor Terminal Server has a web management interface which allows it to be operated and configured remotely.

The flaw affects the Allegro RomPager embedded webserver (versions 4.01 through 4.34) which is included in all versions of Capsule DTS. The flaw could be exploited by an attacker by sending a specially crafted HTTP cookie to the web management portal, allowing arbitrary data to be written to the devices’ memory, ultimately permitting remote code execution. The exploit would require little skill to perform and requires no authentication. If exploited, availability of the device could be harmed, as well as causing disruption to the network connectivity of all medical devices networked through the device.

The vulnerability, tracked as CVE-2014-9222, is classed as critical and has been assigned a CVSS v3 base score of 9.8 out of 10.

While the vulnerability in Qualcomm Life’s Capsule Datacaptor Terminal Server has only just been discovered, it dates back more than four years. The vulnerability, known as Misfortune Cookie, was identified by Checkpoint researchers in 2014, and by Allegro nine years ago. While Allegro addressed the flaw in version 4.34 of its firmware, that version was not adopted by many chipset manufacturers who continued to supply software development kits containing the vulnerable version of the firmware.

The vulnerability was recently discovered to affect the Qualcomm Life Capsule DTS by Elad Luz, Head of Research at CyberMDX, who notified Qualcomm Life allowing an update to be issued to correct the flaw prior to public disclosure. Luz also recently identified a critical flaw in certain BD Alaris Plus medical syringe pumps.

Qualcomm Life has issued a firmware upgrade for the Single Board version of DTS which can be downloaded from the customer portal of Capsule and applied to the device using standard patching processes. Unfortunately, due to technical limitations, it is not possible for the patch to be applied to other versions of DTS including Dual Board, Capsule Digi Connect ES, and Capsule Digi Connect ES converted to DTS.

To address the flaw in those versions, Capsule recommends disabling the embedded webserver. Since the embedded webserver is only required for initial configuration, and not for continued use of the device, disabling the webserver will not adversely affect functionality of the device.

“Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety,” said Luz.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.