Vulnerability identifier: #VU58818
Vulnerability risk: High
CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-288
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Welch Allyn Q-Stress Cardiac Stress Testing System
Hardware solutions /
Medical equipment
Welch Allyn X-Scribe Cardiac Stress Testing System
Hardware solutions /
Medical equipment
Welch Allyn Diagnostic Cardiology Suite
Hardware solutions /
Medical equipment
Welch Allyn Vision Express
Hardware solutions /
Medical equipment
Welch Allyn H-Scribe Holter Analysis System
Hardware solutions /
Medical equipment
Welch Allyn R-Scribe Resting ECG System
Hardware solutions /
Medical equipment
Welch Allyn Connex Cardio
Hardware solutions /
Medical equipment
Vendor: Hill-Rom Services
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to an improper authentication. A remote attacker can gain access to the application as the supplied AD account, with all associated privileges.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Welch Allyn Q-Stress Cardiac Stress Testing System: 6.0.0 - 6.3.1
Welch Allyn X-Scribe Cardiac Stress Testing System: 5.01 - 6.3.1
Welch Allyn Diagnostic Cardiology Suite: 2.1.0
Welch Allyn Vision Express: 6.1.0 - 6.4.0
Welch Allyn H-Scribe Holter Analysis System: 5.01 - 6.4.0
Welch Allyn R-Scribe Resting ECG System: 5.01 - 7.0.0
Welch Allyn Connex Cardio: 1.0.0 - 1.1.1
External links
http://ics-cert.us-cert.gov/advisories/icsma-21-343-01
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.