SmartLinx Neuron 2 Environment Escape Vulnerability
Affected platforms
The following platforms are known to be affected:
Capsule Technologies SmartLinx Neuron 2 Versions: all prior to 9.0
Threat details
Vulnerability
Security researchers have disclosed details of a restricted environment escape (CWE-693) vulnerability affecting Capsule Technologies' SmartLinx Neuron 2 mobile clinical systems. They claim that an attacker with physical access to a vulnerable system could gain access to an affected organisation's network.
The vulnerability is a result of the SmartLinx Neuron 2 system not properly restricting inputs from connected USB devices. A user with suitable access to these systems can input a specific series of keyboard inputs to escape the system's 'kiosk' environment
Remediation advice
Capsule Technologies has confirmed that this vulnerability has been addressed in version 9.0 of the Neuron software. Affected organisations are encouraged to contact their relevant suppliers to apply this update using the below instructions:
- Connect vulnerable Neuron 2 devices to the Capsule SmartLinx application server.
- Edit the 'Neuron Software Reference' to include the Neuron software to update.
- Transfer the Neuron Software to the given Neuron.
- Select 'Install Neuron Software Reference' on the given Neuron.
- The Neuron device will remain offline for approximately 30 minutes as the software is updated.
Definitive source of threat updates
Last edited: 16 July 2020 12:09 pm