Cyber Security

Zero-day vulnerability in Hillrom cardiology devices could allow attackers full control

A high-severity vulnerability in several cardiac healthcare devices could allow attackers to access privileged accounts without a password and seize control of the devices.

The authentication bypass flaw in certain products made by Hillrom exists when the devices have been configured to use single sign-on (SSO).

It allows the manual entry of all active directory (AD) accounts provisioned within the application, meaning access will be granted without having to provide the associated password.

A remote attacker could therefore access the application under the provided AD account and gain all privileges associated with the account.

The following Hillrom cardiology products, when configured to use SSO, are affected:

– Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1
– Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
– Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
– Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0
– Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0
– Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0
– Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1

The vulnerability (tracked as CVE-2021-43935) has been assigned a CVSS score of 8.1 out of 10.

Hillrom plans to address the issue in its next release, therefore the vulnerability currently remains unpatched.

To mitigate the risk, Hillrom recommends disabling the SSO feature in the respective Modality Manager Configuration settings.

The US Cybersecurity & Infrastructure Security Agency (CISA) also gave recommendations for protecting systems, including minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, and using secure methods for remote access, such as VPNs. However, CISA warned that such products are “only as secure as connected devices”.

The Daily Swig has reached out to Hillrom with additional questions, and we will update the article if we hear back.

Source: https://portswigger.net/daily-swig/zero-day-vulnerability-in-hillrom-cardiology-devices-could-allow-attackers-full-control

Click to comment

You May Also Like

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version