CVE-2017-2853
published 2018-04-05CVE-2017-2853: An exploitable Code Execution vulnerability exists in the RequestForPatientInfoEEGfile functionality of Natus Xltek NeuroWorks 8. A specially crafted network…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.44%
87.5th percentile
An exploitable Code Execution vulnerability exists in the RequestForPatientInfoEEGfile functionality of Natus Xltek NeuroWorks 8. A specially crafted network packet can cause a stack buffer overflow resulting in arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| natus | xltek_neuroworks | — | — |
| natus_medical_incorporated | natus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
43150
snort↗
43192
snort↗
43518
snort↗
43489
- →Trigger is a specially crafted network packet containing the 'RequestForPatientInfoEEGfile' command with an oversized path value, causing a stack buffer overflow; monitor for anomalously large path fields in NeuroWorks network traffic. ↗
- →For the DoS variant (TALOS-2017-0354), detect packets where the itemlist length field in the deserialization header contains an invalid/oversized value. ↗
- →Exploitation requires no authentication; any unauthenticated network packet targeting the NeuroWorks service port should be treated as suspicious and inspected for oversized fields. ↗
- ·Snort rules 43150 and 43192 cover the DoS variants (TALOS-2017-0354 / CVE-2017-2853 ItemList Deserialization); rules 43518 and 43489 cover the code-execution variants from the first advisory. Verify which rule SID maps to CVE-2017-2853 specifically via FireSIGHT Management Center or Snort.org, as the CVE is referenced under two different TALOS IDs (TALOS-2017-0354 and TALOS-2017-0355) across the two advisories. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
blogs_talos·2018-05-31·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
Vulnerabilities discovered by Cory Duplantis from Cisco Talos.
## Overview
In April 2018, Talos published five vulnerabilities in Natus NeuroWorks software. We have also identified three additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.
We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices. Natus has released Neuroworks 8.5 GMA3 to address these issues. Talos recomm
Talos
Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
blogs_talos·2018-05-31·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
## Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
Vulnerabilities discovered by Cory Duplantis from Cisco Talos.
## Overview
In April 2018, Talos published five vulnerabilities in Natus NeuroWorks software . We have also identified three additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.
We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices. Natu
Talos
Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
blogs_talos·2018-04-04
Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
## Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
Vulnerabilities discovered by Cory Duplantis from Talos.
## Overview
Talos has discovered multiple vulnerabilities in Natus NeuroWorks software. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks.
We identified a number of vulnerabilities falling into two classes:
Four code execution vulnerabilities
One denial of service vulnerability.
The first category allows code execution on the medical device through a specially crafted network packet. The second category can cause the vulnerable service to crash. The vulnerabilities can be triggered remotely without authentication.
## Disc
Talos
Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
blogs_talos·2018-04-04
Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities
Vulnerabilities discovered by Cory Duplantis from Talos.
### Overview
Talos has discovered multiple vulnerabilities in Natus NeuroWorks software. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks.
We identified a number of vulnerabilities falling into two classes:
- Four code execution vulnerabilities
- One denial of service vulnerability.
The first category allows code execution on the medical device through a specially crafted network packet. The second category can cause the vulnerable service to crash. The vulnerabilities can be triggered remotely without authentication.
### Discussion
Clinicians rely on accurate clinical data in order to deci
2018-04-05
Published