Four years ago, the Misfortune Cookie vulnerability posed a threat to residential SOHO routers and was present in over 200 models from different manufacturers.  The vulnerability allowed hackers to remotely access the routers and hijack the devices.  The old vulnerability has reared its head again but this time the vulnerability is present in medical device systems.

ICS-CERT has issued a security alert for the Datacaptor Terminal Server (DTS), a medical device gateway developed by Qualcomm Life subsidiary Capsule Technologies SAS.  The device is commonly used in hospitals to connect bedside equipment, such as infusion pumps and respirators to the hospital network.

According to ICS-CERT advisory, the “vulnerability allows an attacker to send a specially crafted HTTP cookie to the web management portal to write arbitrary data to the device memory, which may allow remote code execution,”.   This could allow an attacker without authentication to access, view or alter data on the system, login without credentials, gain administrator-level privileges on the terminal server, or simply crash the system.  This vulnerability could also lead to access of other devices on the network and pose a serious risk to patient confidentiality as well as their own wellbeing.

Capsule Technologies has released a patch for the vulnerability but unfortunately it only applies to a single variant of the effected hardware.  Technical limitations prevent the remaining devices from being patched and will remain at risk for at least the time being.

Currently there are no known active attacks for this vulnerability but given the high security threat potential, Capsule Technologies has advised product administrators to disable the embedded server on these devices (a process that is only used during device setup) to mitigate risk.