There is a code weakness found in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS) that allows an attacker to get administrator privileges and remotely make changes to the code.
The Qualcomm Life Capsule’s DTS is utilized by a lot of U.S. hospitals to network their medical devices. The Datacaptor Terminal Server links infusion pumps, respirators, bedside monitors and other medical equipment to the network. The Datacaptor Terminal Server uses a web management interface which permits it to be operated and set up remotely.
The flaw impacts the Allegro RomPager embedded webserver (versions 4.01 through 4.34) which is a part of all versions of Capsule DTS. The flaw can be exploited by an attacker by sending a particularly designed HTTP cookie to the web management portal, permitting arbitrary data to be written to the devices’ memory, eventually allowing remote code execution. The exploit will necessitate some skill to perform and demands no authentication. When exploited, availability of the device can be impaired, causing disruption to the network connectivity of all medical devices networked via the device.
The weakness, tracked as CVE-2014-9222, is categorised as critical and has been designated a CVSS v3 base score of 9.8 out of 10. Although the flaw in Qualcomm Life’s Capsule DTS has only been identified, it dates back more than four years. This vulnerability is called Misfortune Cookie and it was discovered by Checkpoint researchers in 2014, and by Allegro in 2011. Although Allegro dealt with the flaw in version 4.34 of its firmware, numerous chipset makers did not adopt that version but continued to source software development kits containing the vulnerable version of the firmware.
Elad Luz, Head of Research at CyberMDX shortly identified the weakness to affect the Qualcomm Life Capsule DTS and she informed Qualcomm Life permitting an update to be issued to resolve the flaw before public disclosure. Luz also recently discovered a critical vulnerability in selected BD Alaris Plus medical syringe pumps.
Qualcomm Life released a firmware upgrade for the Single Board version of DTS which could be downloaded from the customer portal of Capsule and employed to the device using standard patching processes. Regrettably, due to technical restrictions, it isn’t possible to use the patch to other versions of DTS such as the Capsule Digi Connect ES, Capsule Digi Connect ES and Dual Board.
To correct the flaw in those versions, Capsule advises deactivating the embedded webserver. Given that the embedded webserver is just necessary for initial configuration, and not for ongoing use of the apparatus, turning off the webserver is not going to negatively affect the performance of the device.
Discovering these flaws shows how vital it is for cybersecurity researchers and medical device suppliers to exercise responsible disclosure and work towards bettering patient safety.