Qualcomm Life Capsule DTS Vulnerability [CVE-2014-9222]
Affected Platforms
Qualcomm Life / Capsule Technologie Datacaptor Terminal Server – All versions
Description
Security researchers have discovered a vulnerability in the Qualcomm Life / Capsule Technologie Datacaptor Terminal Server (DTS) that could allow an attacker with network access the capability to alter or disrupt communications from connected medical devices.
The Capsule DTS is a medical device gateway used by hospitals to connect bedside medical devices such as monitors and respirators to their wider network infrastructure. It has been found that the DTS’s web management interface uses a software component that is vulnerable to CVE-2014-9222, better known as the ‘misfortune cookie‘.
An attacker can exploit this vulnerability by using a specially crafted cookie to write data to arbitrary memory locations on the DTS. Such an attack could result in the DTS being made unavailable, or configured to spoof/leak communications with connected devices.
Links
- URL:http://seclists.org/fulldisclosure/2014/Dec/87
- MISC:http://mis.fortunecook.ie/
- CONFIRM:http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-407666.htm
- CONFIRM:https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html
- CERT-VN:VU#561444
- URL:http://www.kb.cert.org/vuls/id/561444
- BID:105173
- URL:http://www.securityfocus.com/bid/105173
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.