Old “Misfortune Cookie” flaw opens medical gateway and devices to attack
A vulnerability in Qualcomm Life Capsule Datacaptor Terminal Server (DTS) can be easily exploited to allow attackers to execute unauthorized code to obtain administrator-level privileges on the device.
The vulnerability was flagged by Elad Luz, Head of Research at CyberMDX, and Qualcomm Life and Capsule Technologies SAS have pushed out firmware that plugs the hole.
About the Capsule’s DTS
Capsule DTS is a medical gateway device used by hospitals to connect their medical devices – usually bedside devices such as monitors, respirators, anesthesia, and infusion pumps – to the network.
Datacaptor has an embedded web management server/interface used for configuration and it uses a software component named “RomPager” from AllegroSoft.
About the vulnerability (CVE-2014-9222)
As it turned out, the RomPager versions (4.01 through 4.34) used by the DTS sport a vulnerability discovered in 2014 by Checkpoint researchers. “Back then, researchers primarily focused on home routers when searching affected devices,” the researchers noted.
CVE-2014-9222, a.k.a. “Misfortune Cookie”, allows attackers to write data to an arbitrarily address in the device memory by simply sending a specially crafted HTTP cookie to the web management portal.
“This action can be performed with no authentication and the arbitrary write may be used to login without credentials, gain administrator-level privileges on the terminal server, or simply crash them. This may result in harm to the device availability as well as the network connectivity of the serial medical devices connected to it,” they explained.
Patching and mitigation
Qualcomm Life and Capsule Technologies SAS say that the vulnerability does not affect any other Capsule Technologies products and that they have no knowledge of it being exploited in the wild.
ICS-CERT also says that there are no known public exploits that specifically target this vulnerability.
They have released a firmware update to fix this vulnerability on the Single Board version of the DTS (originally released mid-2009) but, due to technical limitations, the Dual Board versions, Capsule Digi Connect ES converted to DTS, and Capsule Digi Connect ES won’t be receiving the update.
But they can mitigate the risk of exploitation by disabling the embedded webserver. “The webserver is only utilized for configuration during the initial deployment and is not necessary for continued remote support of the device,” they explained.