CVE-2014-9222, more famously known as the Misfortune Cookie vulnerability, is a severe security flaw that was disclosed four years ago when it was impacting routers. Reports reveal that the vulnerability is once again active in the wild. This time attackers are leveraging it against medical devices. The severity rating of the Misfortunate Cookie is 9.8, which is a rather high rating.

More about Misfortune Cookie a.k.a. CVE-2014-9222

The official description of CVE-2014-9222 is:

AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the “Misfortune Cookie” vulnerability.

For the first time, the Misfortune Cookie bug was detected in 2014 by Check Point researchers. Back then, the researchers found out that flaw impacted residential gateway SOHO routers from various vendors. In case of exploit, the vulnerability allowed hackers to hijack devices from distance.

According to a new security advisory by ICS CERT, CVE-2014-9222 is now present in medical device systems. The equipment which appears to be affected is the Datacaptor Terminal Server (DTS) – a medical device gateway developed by Qualcomm Live subsidiary Capsule Technologies SAS. What is worse is that this gateway is deployed in hospitals where it connects medical devices to larger network infrastructures.

Here’s what the new advisory says:

The following versions of Capsule Datacaptor Terminal Server (DTS), part of a medical device information system, are affected: Allegro RomPager embedded web server versions 4.01 through 4.34 included in Capsule DTS, all versions affected.

It should be noted that researchers from CyberMDX were the ones who discovered the presence of Misfortune Cookie within these devices.

CyberMDX discovered a previously undocumented vulnerability in the device, noting that Qualcomm Life’s Capsule Datacaptor Terminal (Read more…)