Qualcomm Life Capsule Datacaptor Terminal Server Vulnerability

Vedere Labs Team (formerly CyberMDX) Discovers Vulnerability in Qualcomm Life's Capsule Datacaptor Terminal Server (DTS)

ICS-CERT Advisory (ICSMA-18-240-01)

Risk: High. A CVSS v3 grade of 9.8 has been calculated. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Date Discovered by Vedere Labs: May 8, 2018
ICS-CERT Advisory date: August 28, 2018 

Summary

Vedere Labs discovered a previously undocumented vulnerability in the device, noting that Qualcomm Life’s Capsule Datacaptor Terminal Server  (a medical device gateway) is exposed to the “misfortune cookie” CVE-2014-9222. This opens the possibility for remote arbitrary memory write, which can lead to unauthorized login and code execution.

Vulnerability Details

Product background

Qualcomm Life’s Datacaptor Terminal Server is a popular medical gateway device in the Capsule product line used by hospitals to connect their medical devices to the larger digital network infrastructure. The gateway is typically used to connect bedside devices such as monitors, respirators, anesthesia delivery systems, and infusion pumps.

The Vulnerable Component

Like many other IoT devices, the Capsule Datacaptor Terminal Server has a web management interface used for configuration.

The web management uses a software component named “RomPager” from AllegroSoft. The “RomPager” version being used by the Capsule Datacaptor Terminal Server is of an earlier version than 4.07,  and is rendered vulnerable to CVE-2014-9222, AKA “Misfortune Cookie”.

“Misfortune cookie”

The “Misfortune Cookie” vulnerability was discovered by Checkpoint in 2014. Back then, researchers primarily focused on home routers when searching affected devices.

Using a specially crafted cookie, an attacker can write data to an arbitrarily address in the device memory, opening the door to a denial of service attack, unauthenticated login, code execution, and more.

Consequences

Altering the availability and/or configuration of the Capsule Datacaptor Terminal Server directly influences the connectivity of the medical device and allows spoofing communication to and/or from the medical device. In other words — when patient’s sensitive information is sent from a medical device it can be leaked and spoofed by an attacker in this situation.

Recommendations:

After collaboration with Qualcomm Life, we recommend updating your Qualcomm Life Capsule devices to their latest software versions in order to overcome this vulnerability. As a preventive action, we advise disabling access to the device’s management ports, including HTTP — or at least restricting it to relevant parties only.

Official vendor advisory:

Qualcomm Life, Inc. (QCL) and its subsidiary Capsule Technologies SAS have been made aware of a vulnerability in the Capsule Datacaptor Terminal Server (DTS) and Capsule has confirmed the vulnerability in all versions of the DTS. The vulnerability affects the embedded Allegrosoft RomPager web server that is integrated within DTS devices.

The vulnerability was first reported to QCL by Elad Luz, head of research at CyberMDX, now a Forescout Company. Named the “Misfortune Cookie” and referenced by CVE-2014-9222, the vulnerability is associated with the processing of cookies by the web server. Specifically, this vulnerability allows an attacker to send a specially crafted HTTP cookie to the web management portal to write arbitrary data to the device memory. This could allow unauthorized code to be executed and could allow the attacker to obtain administrator-level privileges on the device. 

At this time, QCL is not aware of any exploitation of this vulnerability on DTS products deployed in customer facilities.

This vulnerability does not affect any other Capsule Technologies products.

Capsule has released a firmware update to remediate this vulnerability on the “Single Board” version of the DTS, that was originally released mid-2009. Capsule strongly urges all customers with a Single Board version of the DTS to download the firmware from Capsule’s Customer Portal and apply it to the affected devices following your standard patching processes.

Due to technical limitations, the firmware update will remediate ONLY the Single Board version of the DTS and will NOT remediate these other versions of DTS:

• Dual Board
• Capsule Digi Connect ES converted to DTS
• Capsule Digi Connect ES

Capsule recommends that customers with any of these three versions of DTS disable the embedded webserver to mitigate the vulnerability. The webserver is only utilized for configuration during the initial deployment and is not necessary for continued remote support of the device.

Credit

Elad Luz, Head of Research at CyberMDX, a Forescout Company