Care home communications tool conundrum
Vulnerabilities in a recent version of CATIE Web, an online platform designed for the needs of older adults in assisted living settings, create a data exposure risk.
A total of four local file disclosure vulnerabilities were discovered by security researchers from Bishop Fox in version 20.04.0 of CATIE Web. The latest version of the application is 21.06.0.
The flaws in the earlier release could allow an unauthenticated remote attacker to read arbitrary files via four separate application endpoints.
After weeks of trying unsuccessfully to get a response, Bishop Fox said it disclosed the vulnerabilities to developers Status Solutions in August.
There's been no further communication between the two since, prompting Bishop Fox to go public with its findings in a detailed technical blog post last week.
The Daily Swig asked Status Solutions to comment on these findings. We were hoping to find out what advice it had to offer customers still running the older version of its software.
No word back yet, but we'll update the story as and when more information comes to hand.
CATIE Web is described as “a communication, self-service and resident engagement software that helps seniors connect with their community”, while also “keeping staff informed about residents’ needs on a daily basis”.
The technology offers radio channels, meal and activity reminders, staff directories, and video conferencing, among other functions.
Security flaws in version 20.04.0 of CATIE Web, discovered by Bishop Fox security researchers Nate Robb and Dan Ritter, have the potential to disclose sensitive information.
An attacker could leverage these vulnerabilities to read or download any file on the host, as the vulnerable service has root privileges. Accessible files may include application source code, password hashes, and cleartext secrets in configuration files. With this level of access, an attacker could likely gain access to the application and eventually compromise the host.
The Daily Swig asked Bishop Fox for an estimate of the installed base of the vulnerable platform among other questions. We'll update this story as and when more information comes to hand.