Web Security Bugs Discovered in CATIE’s Assisted Living

John Leyden December 06, 2021 at 17:00 UTC

Updated: December 07, 2021 10:35 UTC

The enigma of the communication tool for nursing homes

The vulnerabilities of a recent version of CATIE Web, an online platform designed for the needs of seniors living in assisted living facilities, create a risk of data exposure.

A total of four local file disclosure vulnerabilities were discovered by security researchers at Bishop Fox in version 20.04.0 of CATIE Web. The latest version of the application is 06.21.0.

The flaws in the previous version could allow an unauthenticated remote attacker to read arbitrary files through four separate application endpoints.

After weeks of unsuccessfully trying to get a response, Bishop Fox said he disclosed the vulnerabilities to Status Solutions developers in August.

There has been no further communication between the two since, prompting Bishop Fox to make his findings public in a detailed technical blog post Last week.

The daily sip asked Status Solutions to comment on these findings. We were hoping to find out what advice she had to offer to customers still using the old version of her software.

No word yet, but we’ll update the story as more information becomes available.

Aid to life

CATIE Web is described as “communication, self-service and resident engagement software that helps seniors connect with their community” while “educating staff on a daily basis about resident needs”.

The technology provides radio channels, meal and activity reminders, staff directories and video conferencing, among other functions.

Learn more about the latest security research news

CATIE Web version 20.04.0 security vulnerabilities, discovered by Bishop Fox security researchers Nate Robb and Dan Ritter, may disclose sensitive information.

An attacker could exploit these vulnerabilities to read or download any file on the host, because the vulnerable service has root privileges. Accessible files can include application source code, password hashes, and clear text secrets in configuration files. With this level of access, an attacker could likely gain access to the application and possibly compromise the host.

The daily sip asked Bishop Fox for an estimate of the vulnerable platform’s installed base, among other questions. We will update this story as more information becomes available.

ADVISED Critical vulnerabilities in open source NodeBB forum software could lead to RCE

Comments are closed.