Vulnerability Found in Capsule Technologies SmartLinx Neuron 2 Medical Data Collection Devices

The CVSS v3 base rating of vulnerability CVE-2019-5024 is 7.6 out of 10. This vulnerability was observed in Capsule Technologies SmartLinx Neuron 2 medical data collection devices using software program version 6.9.1. SmartLinx Neuron 2 is actually a bedside compact clinical computer used for automatic recording of vital signs data and linking to the hospital’s medical device data systems.

The breakdown of a defense mechanism under the kiosk mode brings into play vulnerability CVE-2019-5024, which is a restricted environment exit vulnerability. The vulnerability affects all devices of Capsule Technologies SmartLinx Neuron 2 using versions prior to version 9.0.

In Kiosk mode, the environment is restricted and users cannot abandon the running applications to choose the base operating system. If an attacker exploits this vulnerability, he can get out of kiosk mode to utilize the base operating system having full admin privileges. That means the attacker gets absolute command of a trusted device linked to the hospital’s internal system.

To exploit the vulnerability, it is necessary that the attacker has physical access to the device. That is possible when the device is linked to a keyboard or an HID device through a USB port. Activation of the vulnerability is done by utilizing a specific pattern of keyboard inputs or by inputting a code that copies the human keyboard input using a USB Rubber Ducky.

Patrick DeSantis from Cisco Talos identified the vulnerability and informed Capsule Technologies about it. Even with a low level of skill, an attacker can make use of the vulnerability provided that the vulnerability’s public exploits can be found in the public domain.

The vulnerability was identified in an unsupported software program version. Nonetheless, a lot of hospitals are currently using that software. Capsule Technologies already resolved the vulnerability found in software program versions 9.0 and earlier versions than 10.1.

All users of the device were advised to use the software’s supported versions – the updated version 9.0 or later versions. Physical access to medical devices is restricted. Devices are confined within the organization’s security boundary. Internal systems no longer give complete trust to the devices. If possible, the USB ports are inactive or blocked. Logs are assessed to identify any unauthorized peripherals connected to the vulnerable devices.