#VU64472 Improper access control in Hill-Rom Services products - CVE-2022-26389

Cybersecurity Help s.r.o.

Published: 2022-06-17

Vulnerability identifier: #VU64472

Vulnerability risk: Low

CVSSv4.0: 2.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-26389

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Welch Allyn ELI 380 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI 280 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI BUR280 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI MLBUR 280 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI 250c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI BUR 250c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI 150c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI BUR 150c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI MLBUR 150c Resting Electrocardiograph
Hardware solutions / Medical equipment

Vendor: Hill-Rom Services

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Welch Allyn ELI 380 Resting Electrocardiograph: 2.6.0

Welch Allyn ELI 280 Resting Electrocardiograph: 2.3.1

Welch Allyn ELI BUR280 Resting Electrocardiograph: 2.3.1

Welch Allyn ELI MLBUR 280 Resting Electrocardiograph: 2.3.1

Welch Allyn ELI 250c Resting Electrocardiograph: 2.1.2

Welch Allyn ELI BUR 250c Resting Electrocardiograph: 2.1.2

Welch Allyn ELI 150c Resting Electrocardiograph: 2.2.0

Welch Allyn ELI BUR 150c Resting Electrocardiograph: 2.2.0

Welch Allyn ELI MLBUR 150c Resting Electrocardiograph: 2.2.0

External links
https://ics-cert.us-cert.gov/advisories/icsma-22-167-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Hillrom Medical Welch Allyn medical devices