American healthcare equipment giant Hillrom has recently patched a serious zero-day vulnerability in its cardiac devices. Exploiting the bug could allow an adversary to take control of target systems.
Zero-Day Vulnerability Spotted In Hillrom Cardiac Devices
According to the latest advisory from US CISA, a serious zero-day vulnerability affected Hillrom Welch Allyn cardiac devices.
Hill-Rom (branded as ‘Hillrom’) is a US-based medical technology firm dealing with a range of healthcare equipment. The firm acquired Welch Allyn – another firm in this niche – in 2015, now continuing it as a separate brand.
Specifically, the vulnerability, which Hillrom officials spotted and reported to CISA, affected multiple Welch Allyn cardiac care devices, that include,
- Q-Stress Cardiac Stress Testing System (versions 6.0.0-6.3.1)
- X-Scribe Cardiac Stress Testing System (versions 5.01-6.3.1)
- Diagnostic Cardiology Suite (version 2.1.0)
- Vision Express (versions 6.1.0-6.4.0)
- H-Scribe Holter Analysis System (versions 5.01-6.4.0)
- R-Scribe Resting ECG System (versions 5.01-7.0.0)
- Connex Cardio (versions 1.0.0-1.1.1)
The tech giant identified an improper authentication flaw in the devices when configured to use Single sign-on (SSO). Describing its impact, the advisory reads,
This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.
This zero-day flaw has achieved a CVE ID CVE-2021-43935 and a CVSS score of 8.1.
Patches Underway
CISA has confirmed that Hillrom has addressed the vulnerability for the products in question. However, it may take a week for the vendors to roll out the fixes with the upcoming software release.
Until then the users remain vulnerable. Hence, CISA recommends the users disable SSO in the Modality Manager Configuration settings as a workaround.
Besides, Hillrom advises users to implement adequate network and physical security controls to the devices and to employ server access authentication.
Let us know your thoughts in the comments.