Vulnerability Discovered in Capsule Technologies SmartLinx Neuron 2 Medical Data Collection Devices

A vulnerability of high severity was found in Capsule Technologies SmartLinx Neuron 2 medical data collection devices operating on software version 6.9.1. SmartLinx Neuron 2 is a bedside portable clinical computer that records vital signs information on auto pilot and links to the medical device data systems of the hospital.

The vulnerability CVE-2019-5024 is a restricted environment escape vulnerability caused by the incapability of a defense mechanism in the kiosk mode. All versions of Capsule Technologies SmartLinx Neuron 2 before version 9.0 have this vulnerability.

Kiosk mode refers to a restricted environment that inhibits users from leaving the running apps and using the base operating system. An attacker that exploits the vulnerability can leave kiosk mode and use the base operating system with complete admin privileges. That could enable the attacker to have total control of a trusted gadget on the internal network of the hospital.

An attacker must have physical access to the device in order to exploit the vulnerability. The vulnerability may be taken advantage of by linking to the device a keyboard or any HID device via a USB port. The vulnerability may be activated by using a particular sequence of keyboard inputs or, another option is by encoding a code that imitates human keyboard input together with a USB Rubber Ducky.

Patrick DeSantis of Cisco Talos discovered the vulnerability and reported it to Capsule Technologies. An attacker with a low level of skill can exploit the vulnerability as long as the public exploits for the vulnerability are available in the public domain. The CVSS v3 base score of the vulnerability is 7.6 out of 10.

The vulnerability was found in an unsupported software version, however, that version is presently being utilized in a lot of hospitals. Capsule Technologies has fixed the vulnerability in software versions 9.0 and those lower than the present 10.1 version.

All device users were instructed to update the software to the supported versions, which are version 9.0 or later. Restricted physical access to the devices must be implemented as much as can be done and it must stay beyond the organization’s security border. It is furthermore crucial to make certain that the internal systems do not completely trust the devices. When possible, the USB ports must be deactivated or blocked, and logs should be reviewed in order to identify any unauthorized peripherals on the vulnerable devices.