CVE-2014-9222, more famously known as the Misfortune Cookie vulnerability, is a severe security flaw that was disclosed four years ago when it was impacting routers. Reports reveal that the vulnerability is once again active in the wild. This time attackers are leveraging it against medical devices. The severity rating of the Misfortunate Cookie is 9.8, which is a rather high rating.
More about Misfortune Cookie a.k.a. CVE-2014-9222
The official description of CVE-2014-9222 is:
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the “Misfortune Cookie” vulnerability.
For the first time, the Misfortune Cookie bug was detected in 2014 by Check Point researchers. Back then, the researchers found out that flaw impacted residential gateway SOHO routers from various vendors. In case of exploit, the vulnerability allowed hackers to hijack devices from distance.
According to a new security advisory by ICS CERT, CVE-2014-9222 is now present in medical device systems. The equipment which appears to be affected is the Datacaptor Terminal Server (DTS) – a medical device gateway developed by Qualcomm Live subsidiary Capsule Technologies SAS. What is worse is that this gateway is deployed in hospitals where it connects medical devices to larger network infrastructures.
Here’s what the new advisory says:
The following versions of Capsule Datacaptor Terminal Server (DTS), part of a medical device information system, are affected: Allegro RomPager embedded web server versions 4.01 through 4.34 included in Capsule DTS, all versions affected.
It should be noted that researchers from CyberMDX were the ones who discovered the presence of Misfortune Cookie within these devices.
CyberMDX discovered a previously undocumented vulnerability in the device, noting that Qualcomm Life’s Capsule Datacaptor Terminal Server (a medical device gateway) is exposed to the “misfortune cookie” CVE-2014-9222. This opens the possibility for remote arbitrary memory write, which can lead to unauthorized login and code execution.
The company believes that the version of RomPager in use is an older version, prior to version 4.07, which is susceptible to Misfortune Cookie. More up-to-date versions of the component should not be affected:
The web management uses a software component named “RomPager” from AllegroSoft. The “RomPager” version being used by the Capsule Datacaptor Terminal Server is of an earlier version than 4.07, and is rendered vulnerable to CVE-2014-9222, AKA “Misfortune Cookie”.
The good news is that Capsule has released a firmware update to remediate CVE-2014-9222 on the “Single Board” version of the DTS, originally released in the middle of 2009. “Capsule strongly urges all customers with a Single Board version of the DTS to download the firmware from Capsule’s Customer Portal and apply it to the affected devices following your standard patching processes,” the new advisory says.