CVE-2023-47800 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-47800?

CVE-2023-47800 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Natus NeuroWorks and SleepWorks systems due to a default hardcoded password 'xltek' for the Microsoft SQL Server sa account. Attackers can gain full control over the database server, leading to data theft, manipulation, or service disruption. All organizations using affected versions of these medical software products are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Natus NeuroWorks and SleepWorks systems due to a default hardcoded password 'xltek' for the Microsoft SQL Server sa account. Attackers can gain full control over the database server, leading to data theft, manipulation, or service disruption. All organizations using affected versions of these medical software products are at risk.

💻 Affected Systems

Products:

Natus NeuroWorks
Natus SleepWorks

Versions: All versions before 8.4 GMA3

Operating Systems: Windows (as MSSQL Server typically runs on Windows)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation configuration with the hardcoded sa account password.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of patient medical data, remote code execution leading to ransomware deployment, destruction of medical records, and disruption of critical healthcare operations.

🟠

Likely Case

Data exfiltration of sensitive patient information, unauthorized access to medical records, and potential manipulation of clinical data affecting patient care.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though the vulnerability still exists in the software.

🌐 Internet-Facing: HIGH - Systems exposed to the internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, any attacker with network access can exploit this vulnerability to gain database administrator privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the default password and network access to the MSSQL service port (typically 1433).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4 GMA3

Vendor Advisory: https://partner.natus.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf

Restart Required: Yes

Instructions:

1. Download version 8.4 GMA3 from Natus partner portal. 2. Backup all data and configurations. 3. Install the update following vendor instructions. 4. Restart affected systems. 5. Verify the sa account password has been changed from the default.

🔧 Temporary Workarounds

Change MSSQL sa Password

windows

Manually change the default 'xltek' password for the sa account to a strong, unique password.

USE master;
ALTER LOGIN sa WITH PASSWORD = 'NewStrongPassword123!';

Network Segmentation

windows

Restrict network access to MSSQL port 1433 to only authorized systems using firewall rules.

New-NetFirewallRule -DisplayName "Block MSSQL External" -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Block

🧯 If You Can't Patch

Immediately change the sa account password from 'xltek' to a strong, unique password
Implement strict network segmentation and firewall rules to block external access to port 1433

🔍 How to Verify

Check if Vulnerable:

Attempt to connect to MSSQL on port 1433 using sa account with password 'xltek' using sqlcmd or similar tool.

Check Version:

Check software version in application interface or consult vendor documentation for version verification.

Verify Fix Applied:

Verify connection with old password fails and check software version is 8.4 GMA3 or later.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts to sa account
Successful logins to sa account from unexpected sources
Unusual database queries or administrative actions

Network Indicators:

Connection attempts to port 1433 from unauthorized IPs
SQL injection patterns in network traffic

SIEM Query:

source="mssql" AND (event_id=18456 OR event_id=18454) AND message="*sa*"

📊 Metadata

CVE ID: CVE-2023-47800

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: November 10, 2023

Last Updated: November 21, 2024

🔗 References

https://partner.natus.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Vendor Advisory
https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2023-006.txt Exploit,Third Party Advisory
https://partner.natus.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Vendor Advisory
https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2023-006.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47800, you might also want to check these: