The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert warning healthcare providers about a high-severity vulnerability that affects certain Hillrom Welch Allyn cardio products.
The vulnerability is an authentication bypass issue, which allows a remote attacker to use an alternative path or channel to avoid authentication. The vulnerability, tracked as CVE-2021-43935, allows the application to accept the manual entry of any active directory (AD) account that is provisioned in the application, without the need to provide a password. If exploited, a remote attacker would be able to access the application using the provided AD account and would be given access with all privileges associated with that account. The vulnerability has been assigned a CVSS v3 severity score of 8.1 out of 10.
The vulnerability can be exploited when vulnerable products are configured to use single sign-on and affects the following Hillrom Welch Allyn cardio products:
- Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0 through 6.3.1
- Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
- Welch Allyn Diagnostic Cardiology Suite: Version 2.1
- Welch Allyn Vision Express: Versions 6.1.0 through 6.4
- Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4
- Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0
- Welch Allyn Connex Cardio: Versions 1.0 through 1.1.1
There is no patch available to fix the vulnerability at present. Hillrom says it will be addressing the flaw in its next software release; however, in the meantime, the company suggests a workaround and mitigation to reduce the risk of exploitation.
The interim solution is to disable the SSO feature in the Modality Manager Configuration settings, as the vulnerability only exists when SSO is enabled. Users should also ensure they are running the latest versions of the software and should upgrade as soon as new versions are made available.
In addition to the above workaround, users should ensure they apply proper network and physical security controls, apply authentication for server access, and ensure the products are not accessible over the Internet. CISA recommends locating control system networks and remote devices behind firewalls, and isolating them from the business network. If remote access is required, secure methods of connection should be used, such as a Virtual Private Network (VPN).
At present, there are no known cases of the vulnerability being exploited and the vulnerability has a high attack complexity.