A severe security flaw impacting routers and disclosed four years ago has once again returned to the field, but this time, medical devices are potentially at risk.
The vulnerability, known as Misfortune Cookie, has been assigned a severity rating of 9.8.
Otherwise known as CVE-2014-9222, the bug first came on the radar through disclosure by Check Point researchers in 2014.
According to the cybersecurity firm, Misfortune Cookie impacted residential gateway SOHO routers from a variety of vendors. If exploited, the security flaw allowed attackers to remotely hijack devices.
A new security advisory issued by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that the vulnerability has now been found in medical device systems.
The equipment in question is the Datacaptor Terminal Server (DTS), a medical device gateway developed by Qualcomm Life subsidiary Capsule Technologies SAS.
The gateway is used in hospitals to connect medical devices to larger network infrastructure.
Cybersecurity firm CyberMDX discovered the presence of the flaw which can be exploited by attackers to conduct remote arbitrary memory write, which could lead to unauthorized login and code execution.
The previously undocumented vulnerability in the device is present in a software component called “RomPager” from AllegroSoft used by the DTS web interface.
According to the company, the version of RomPager in use is an older version, earlier than 4.07, which is susceptible to Misfortune Cookie. More up-to-date versions of the component are not affected.
When the four year-old-flaw is applied to medical attacks, it is possible for DTS configurations to be tampered with, communication to be spoofed, and information to be stolen.
CyberMDX reported its findings to Qualcomm Life, which developed a firmware patch to resolve the security issue.
