Vulnerabilities Identified in Natus Xltek NeuroWorks Software

ICS-CERT has released an advisory following the discovery of eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software, which is utilized in Natus Xltek EEG healthcare products.

Should the vulnerabilities be successfully exploited, an attacker could cause devices to crash or trigger a buffer overflow condition that would allow the remote execution of arbitrary code.

All the vulnerabilities were assigned a CVSS v3 score over 7.0. Three vulnerabilities – CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – were given a CVSS v3 base score of 10, the maximum score possible. CVE-2017-2867 has been given a base score of 9.0, while the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – got a score of 7.5. The vulnerabilities consist of out-of-bounds read vulnerabilities and stack-based buffer overflow conditions.

CVE-2017-2853 allows an attacker to trigger a buffer overflow by delivering a specially crafted package to a vulnerable product while the product tries to access a file that the client requested.

CVE-2017-2868 and CVE-2017-2869 are linked to defects in the way the software program parses data structures. An attacker exploiting the vulnerability could trigger a buffer overflow and execute arbitrary code, potentially allowing that individual to take control of the compromised system.

Cory Duplantis, a security researcher from Cisco Talos, discovered the vulnerabilities and reported them to Natus. Natus took action and has already issued an updated version of its software to correct all of the problem areas.

Thus far there have been no reported cases of exploitation of the vulnerabilities. In addition, no public exploits for the vulnerabilities have been identified. Natus advises all end users of susceptible software to upgrade to NeuroWorks/SleepWorks 8.5 GMA 3 without delay.

The upgrade is offered at zero cost for end users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. Users may contact the technical support team of Natus Neuro for more details. Besides getting the latest software version, organizations may take additional steps to restrict the chance of zero-day vulnerabilities being exploited.

The National Cybersecurity & Communications Integration Center (NCCIC) advises reduction of network exposure for all control systems and equipment by ensuring they aren’t accessible via the Internet. Control systems and remote devices ought to be protected behind firewalls and must be separated from the business network. In case remote access is required, secure methods must be employed to connect, such as Virtual Private Networks (VPNs), which must be kept updated.