Medical devices from the manufacturer Hillrom Welch Allyn contain security flaws that allow unauthorized access from the network. The vulnerability is classified as high risk (CVE-2021-43935, CVSS 8.1). An update is not yet available, IT managers have to take action.
The U.S. Cyber Security Agency CISA explained in their security advisorythat, due to improper authentication in the devices, every account in an Active Directory was given access to the application without the use of a password. To do this, single sign-on must be activated in the products. The warning does not indicate whether this is the case by default. The manufacturer’s devices, especially the Connex series, are also available on the German market.
The security message lists the affected products:
- Welch Allyn Q-Stress Cardiac Stress Testing System: Version 6.0.0 bis 6.3.1
- Welch Allyn X-Scribe Cardiac Stress Testing System: Version 5.01 bis 6.3.1
- Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
- Welch Allyn Vision Express: Version 6.1.0 bis 6.4.0
- Welch Allyn H-Scribe Holter Analysis System: Version 5.01 bis 6.4.0
- Welch Allyn R-Scribe Resting ECG System: Version 5.01 bis 7.0.0
- Welch Allyn Connex Cardio: Version 1.0.0 bis 1.1.1
There are currently no updates available. The manufacturer therefore recommends deactivating the single sign-on in the relevant settings of the Modality Manager for temporary protection. To do this, he refers to the manual.
Security gaps in networked medical devices pose a threat to patient safety. Attackers often focus on hospitals, for example to smuggle in ransomware and use it to extort money in the form of cryptocurrencies. One of the more recent examples of this is the Wolfenbüttel Clinic, which was the victim of a ransomware attack.