Skip to main content

Vulnerabilities in Hillrom Welch Allyn Resting Electrocardiograph Products

Hillrom Welch Allyn cardiology products affected by 'improper access control' and 'use of hard-coded password' vulnerabilities

Threat ID:
CC-4117
Threat Severity:
Low
Published:
17 June 2022 2:10 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Hillrom Welch Allyn cardiology products affected by 'improper access control' and 'use of hard-coded password' vulnerabilities

Threat details

Introduction

A number of Welch Allyn Resting Electrocardiograph products are affected by two vulnerabilities - CVE-2022-26388 and CVE-2022-26389.

CVE-2022-26388, which has a Medium CVSS rating of 6.4, is a 'use of hard-coded password' vulnerability. Affected products use hard-coded passwords for inbound authentication or outbound communication to external components. This vulnerability has a low attack complexity.

CVE-2022-26389, which has a High CVSS rating of 7.7, is a vulnerability caused by improper access control because software does not restrict or incorrectly restricts access to a resource from an authorised actor. This vulnerability has a high attack complexity.

 

Remediation advice

Affected organisations should review the Welch Allyn Product Security Vulnerability 16 June 2022 section of Hillrom Responsible Disclosures.

A software update for Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph, to version 2.4.1, should be available in June 2022. Hillrom plans to release software updates to address the vulnerabilities in the other products in Q4 2023. In the interim, Hillrom recommends the following workarounds to reduce the risk:

  • Apply proper network and physical security controls
  • Ensure a unique encryption key is configured for ELI Link and Cardiograph
  • Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service

Last edited: 17 June 2022 4:15 pm