In December 2104, researchers at Check Point Software Technologies discovered the Misfortune Cookie vulnerability, a flaw that was affecting millions of devices running an embedded web server called RomPager, the vulnerability could be exploited by an attacker to run a man-in-the-middle attack on traffic going to and from home routers from every manufacturer.
An attacker that is able to compromise a vulnerable device like a home router could use it as an entry point in a target network and hack other devices.
Four years later, the Misfortune Cookie vulnerability is still threatening devices worldwide, in particular, medical equipment that connects bedside devices to the hospital’s network infrastructure.
Researchers from security firm CyberMDX discovered that flawed versions of RomPager (4.01 through 4.34 ) ran on different variants of Capsule Datacatptor Terminal Server (DTS) included in medical device information system.
The gateway device connects bedside equipment (anesthesia and infusion pumps, respirators and IoT products) to the network.
“CyberMDX discovered a previously undocumented vulnerability in the device, noting that Qualcomm Life’s Capsule Datacaptor Terminal Server (a medical device gateway) is exposed to the “misfortune cookie” CVE-2014-9222. This opens the possibility for remote arbitrary memory write, which can lead to unauthorized login and code execution.” reads the security advisory published by the company.
Experts warn that modifying the configuration of the Capsule Datacaptor Terminal Server directly influences the connectivity of the medical device. The attacker can exploit the flaw to steal the patient’s sensitive information.
“Altering the availability and/or configuration of the Capsule Datacaptor Terminal Server directly influences the connectivity of the medical device and allows spoofing communication to and/or from the medical device. In other words — when patient’s sensitive information is sent from a medical device it can be leaked and spoofed by an attacker in this situation.” continues the report.
The bad news is that an exploit code for this flaw is available online.
The US ICS-CERT issued an alert for the vulnerability, the flaw tracked as CVE-2014-9222 received a severity score of 9.8 out of 10
“This vulnerability allows an attacker to send a specially crafted HTTP cookie to the web management portal to write arbitrary data to the device memory, which may allow remote code execution,” states the ICS-CERT.
Qualcomm Life Capsule Technologies has released a security patch to address the vulnerability, but it only works for the Single Board variant of the DTS, from 2009, instead, it is not possible to use it on The Dual Board, Capsule Digi Connect ES and Capsule Digi Connect ES converted to DTS.
Administrators of the products that cannot be updated should disable the embedded server as mitigation, the webserver, in fact, is only utilized for configuration during the initial deployment and is not necessary for remote support of the device.
NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Below the recomendations included in the ICS-CERT alert: