Natus Xltek NeuroWorks

Act Now10ICS-CERT ICSMA-18-165-01Jun 14, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Buffer overflow vulnerabilities in Natus Xltek NeuroWorks software (versions 8.0, 8.1, 8.4, 8.5) can cause device crashes and potentially allow remote code execution. Exploitation requires access to the customer network. Affected by CWE-125 (out-of-bounds read) and CWE-121 (stack-based buffer overflow).

What this means

What could happen

An attacker with network access to a NeuroWorks system could crash the device or execute arbitrary code, disrupting neurology/sleep diagnostics and potentially compromising patient data confidentiality.

Who's at risk

Healthcare facilities using Natus Xltek NeuroWorks for neurology and sleep diagnostics. This affects clinical diagnostic systems and the organizations relying on them for patient diagnosis and monitoring.

How it could be exploited

An attacker on your customer network sends specially crafted network traffic to the NeuroWorks device, triggering a buffer overflow condition. This could cause the device to crash immediately, or in the worst case allow the attacker to run commands on the system with the same privileges as the NeuroWorks application.

Prerequisites

Network access to the NeuroWorks device from within the customer/organizational network
NeuroWorks software version 8.0, 8.1, 8.4, or 8.5
No authentication or user interaction required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (10.0)affects healthcare/diagnostic system availability and patient data

Exploitability

Moderate exploit probability (EPSS 2.3%)

Affected products (1)

ProductAffected VersionsFix Status

Natus Xltek NeuroWorks:88.5 GMA 3

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate NeuroWorks/SleepWorks to version 8.5 GMA 3

HOTFIXContact Natus Neuro Technical support (1-800-387-7516 or Oakville_Technical_Service@natus.com) to obtain and schedule the update

Long-term hardening

0/2

HARDENINGImplement network segmentation to restrict access to NeuroWorks devices from untrusted network segments

HARDENINGMonitor network traffic to NeuroWorks devices for anomalous patterns

CVEs (8)

CVE-2017-2852 CVE-2017-2853 CVE-2017-2858 CVE-2017-2860 CVE-2017-2861 CVE-2017-2867 CVE-2017-2868 CVE-2017-2869

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a26313a5-c101-45ac-80c3-b2d4a83bab5e