Weaknesses Found in Natus Xltek NeuroWorks Software Result in Official Warnings

June 30, 2018


ICS-CERT has issued an alert after finding eight weaknesses in version 8 of Natus Xltek NeuroWorks software applied in Natus Xltek EEG medical products.

If the vulnerabilities are successfully abused they might allow a hacker to smash a weak appliance or activate a buffer overflow state that would allow distant code implementation.

All eight weaknesses have been given a CVSS v3 score above 7.0 and are rated high.  Three of the vulnerabilities – traced as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been provided a CVSS v3 base score of 10, the maximum possible score. CVE-2017-2867 has been given a base ranking of 9.0, with the other four weaknesses – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – designated a ranking of 7.5. The weaknesses are a blend of stack-based buffer overflow and out-of-bounds read flaws.

CVE-2017-2853 would allow a hacker to create buffer overflow by forwarding a specifically created packet to an impacted product while the product attempts to open a file requested by the customer.

CVE-2017-2868 and CVE-2017-2869 refer to faults in how the program analyzes data structures. Abuse would allow a hacker to activate a buffer overflow and implement random code, letting the hacker to take full control of the affected system.

The faults were found by safety scientist Cory Duplantis from Cisco Talos who informed them to Natus. Natus took quick action and has now issued an updated version of its software which remedies all of the vulnerabilities.

So far there have been no reported cases of the weaknesses being abused in the wild, and no public abuses for the weaknesses have been noticed. Natus recommends all users of the susceptible software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as quickly as they can.

The update is obtainable for free for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support division must be communicated for more details.

Together with updating to the latest version of the software, companies can take extra steps to limit the possibility for zero-day weaknesses to be targeted.

The National Cybersecurity & Communications Integration Center (NCCIC) suggests restricting network experience for all control systems and appliances and making sure they are not accessible online. Control systems and distant appliances must be placed at the back of firewalls and must be separated from the business network. If distant access is needed, safe methods must be applied to connect, like Virtual Private Networks (VPNs), which must be continuously updated.