HC3 TLP White Alert: Hillrom Welch Allyn Cardiology Products Vulnerability (CVE-2021-43935) December 13, 2021
Executive Summary
On December 9, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Controls Systems Medical Advisory (ICSMA) detailing a vulnerability in multiple Hillrom Welch Allyn cardiology products. An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages technicians and administrators to review the advisory for more information and recommended mitigations.
Report
ICS Medical Advisory (ICSMA-21-343-01) Hillrom Welch Allyn Cardio Products
https://www.cisa.gov/uscert/ics/advisories/icsma-21-343-01
Impact to HPH Sector
This high-severity vulnerability (CVSS v3 base score of 8.1) impacts organizations in the healthcare and public health (HPH) sector worldwide. The remotely exploitable vulnerability could enable an attacker to access privileged accounts without a password and seize control of the devices.
The following Hillrom cardiology products, when configured to use SSO, are affected:
- Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1
- Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
- Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
- Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0
- Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0
- Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0
- Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1
References
High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products https://www.hipaajournal.com/high-severity-authentication-bug-identified-in-hillrom-welch-allyn-cardio-products/
Zero-day vulnerability in Hillrom cardiology devices could allow attackers full control https://portswigger.net/daily-swig/zero-day-vulnerability-in-hillrom-cardiology-devices-could-allow-attackers-full-control
Contact Information
If you have any additional questions, please contact us at HC3@hhs.gov.
View detailed report below.
For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact: