Qualcomm Life Capsule Datacaptor Terminal Server Beset With ‘Misfortune Cookie’

There is a code vulnerability discovered in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS). A threat actor could remotely exploit the vulnerability to acquire administrator level rights and remotely implement code.

The Datacaptor Terminal Server of Qualcomm Life Capsule is a healthcare gateway device employed by numerous American hospitals to link their healthcare gadgets. The Datacaptor Terminal Server is employed to hook up respirators, infusion pumps, bedside monitors and other healthcare equipment to the network. The Datacaptor Terminal Server utilizes a web management interface that enables it to be controlled and configured remotely.

The vulnerability is affecting the Allegro RomPager embedded webserver (models 4.01 to 4.34) which is built into all models of Capsule DTS. The vulnerability may be taken advantage of by a threat actor by sending a notably created HTTP cookie to the net management site, enabling arbitrary information to be written to the equipment’s memory, consequently enabling the execution of the remote code. The exploit is going to call for a bit of skill to accomplish and necessitates no authentication. In case exploited, availability of the equipment may be ruined, causing interruption to the network access of all healthcare devices networked by means of the device.

The flaw, monitored as CVE-2014-9222, is classified as critical and was given a CVSS v3 base rating of 9.8. Though Qualcomm Life’s Capsule Datacaptor Terminal Server has just been found to have this flaw, it goes back over 4 years. The flaw, also known as Misfortune Cookie, was found by Checkpoint researchers in 2014, and by Allegro 9 years back. Though Allegro attended to the vulnerability in version 4.34 of its software, a lot of chipset companies didn’t adopt that model but went on to provide software development packages with the flawed firmware version.

Elad Luz, Head of Research at CyberMDX just lately found the flaw to impact the Qualcomm Life Capsule DTS and she alerted Qualcomm Life enabling an upgrade to be released to fix the vulnerability well before public disclosure. Luz additionally recently found a serious defect in particular BD Alaris Plus medical syringe pumps.

Qualcomm Life had a firmware update for the Single Board model of DTS which may be downloaded from Capsule’s customer portal and implemented to the device utilizing standard patching processes. Sadly, because of technical constraints, it’s not possible to implement the patch to other models of DTS like Capsule Digi Connect ES, Dual Board and Capsule Digi Connect ES modified to DTS.

To resolve the defect in those models, Capsule suggests switching off the embedded webserver. Because the embedded webserver is basically needed for preliminary setup, and not for prolonged use of the equipment, deactivating the webserver really won’t detrimentally impact the operation of the device.

Finding these defects demonstrates how critical it is for cybersecurity researchers and healthcare device manufacturers to exercise conscientious disclosure and work towards strengthening patient security.