Skip to main content

Vulnerabilities in Hillrom Welch Allyn Resting Electrocardiograph Products

Hillrom Welch Allyn cardiology products affected by 'improper access control' and 'use of hard-coded password' vulnerabilities

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Hillrom Welch Allyn cardiology products affected by 'improper access control' and 'use of hard-coded password' vulnerabilities


Threat details

Introduction

A number of Welch Allyn Resting Electrocardiograph products are affected by two vulnerabilities - CVE-2022-26388 and CVE-2022-26389.

CVE-2022-26388, which has a Medium CVSS rating of 6.4, is a 'use of hard-coded password' vulnerability. Affected products use hard-coded passwords for inbound authentication or outbound communication to external components. This vulnerability has a low attack complexity.

CVE-2022-26389, which has a High CVSS rating of 7.7, is a vulnerability caused by improper access control because software does not restrict or incorrectly restricts access to a resource from an authorised actor. This vulnerability has a high attack complexity.

 


Remediation advice

Affected organisations should review the Welch Allyn Product Security Vulnerability 16 June 2022 section of Hillrom Responsible Disclosures.

A software update for Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph, to version 2.4.1, should be available in June 2022. Hillrom plans to release software updates to address the vulnerabilities in the other products in Q4 2023. In the interim, Hillrom recommends the following workarounds to reduce the risk:

  • Apply proper network and physical security controls
  • Ensure a unique encryption key is configured for ELI Link and Cardiograph
  • Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service


Last edited: 17 June 2022 4:15 pm