Misfortune Cookie vulnerability returns to impact medical devices

Aug. 31, 2018

A severe security flaw impacting routers and disclosed four years ago has once again returned to the field, but this time, medical devices are potentially at risk.

The vulnerability, known as Misfortune Cookie, has been assigned a severity rating of 9.8.

Otherwise known as CVE-2014-9222, the bug first came on the radar through disclosure by Check Point researchers in 2014.

According to the cybersecurity firm, Misfortune Cookie impacted residential gateway SOHO routers from a variety of vendors. If exploited, the security flaw allowed attackers to remotely hijack devices.

A new security advisory issued by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that the vulnerability has now been found in medical device systems.

The equipment in question is the Datacaptor Terminal Server (DTS), a medical device gateway developed by Qualcomm Life subsidiary Capsule Technologies SAS.

The gateway is used in hospitals to connect medical devices to larger network infrastructure.

Cybersecurity firm CyberMDX discovered the presence of the flaw which can be exploited by attackers to conduct remote arbitrary memory write, which could lead to unauthorized login and code execution.

The previously undocumented vulnerability in the device is present in a software component called “RomPager” from AllegroSoft used by the DTS web interface.

According to the company, the version of RomPager in use is an older version, earlier than 4.07, which is susceptible to Misfortune Cookie. More up-to-date versions of the component are not affected.

When the four year-old-flaw is applied to medical attacks, it is possible for DTS configurations to be tampered with, communication to be spoofed, and information to be stolen.

CyberMDX reported its findings to Qualcomm Life, which developed a firmware patch to resolve the security issue.

ZDNet has the full story

Sponsored Recommendations

The Healthcare Provider's Guide to Accelerating Clinician Onboarding

Improve clinician satisfaction and productivity to enhance patient care

ASK THE EXPERT: ServiceNow’s Erin Smithouser on what C-suite healthcare executives need to know about artificial intelligence

Generative artificial intelligence, also known as GenAI, learns from vast amounts of existing data and large language models to help healthcare organizations improve hospital ...

TEST: Ask the Expert: Is Your Patients' Understanding Putting You at Risk?

Effective health literacy in healthcare is essential for ensuring informed consent, reducing medical malpractice risks, and enhancing patient-provider communication. Unfortunately...

From Strategy to Action: The Power of Enterprise Value-Based Care

Ever wonder why your meticulously planned value-based care model hasn't moved beyond the concept stage? You're not alone! Transition from theory to practice with enterprise value...