#VU64470 Use of Hard-coded Password in Hill-Rom Services products - CVE-2022-26388

Cybersecurity Help s.r.o.

Published: 2022-06-17

Vulnerability identifier: #VU64470

Vulnerability risk: Low

CVSSv4.0: 3.9 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-26388

CWE-ID: CWE-259

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Welch Allyn ELI 380 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI 280 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI BUR280 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI MLBUR 280 Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI 250c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI BUR 250c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI 150c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI BUR 150c Resting Electrocardiograph
Hardware solutions / Medical equipment
Welch Allyn ELI MLBUR 150c Resting Electrocardiograph
Hardware solutions / Medical equipment

Vendor: Hill-Rom Services

Description

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to the software contains a hard-coded password. An attacker with physical access can cause privileged operation execution.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Welch Allyn ELI 380 Resting Electrocardiograph: 2.6.0

Welch Allyn ELI 280 Resting Electrocardiograph: 2.3.1

Welch Allyn ELI BUR280 Resting Electrocardiograph: 2.3.1

Welch Allyn ELI MLBUR 280 Resting Electrocardiograph: 2.3.1

Welch Allyn ELI 250c Resting Electrocardiograph: 2.1.2

Welch Allyn ELI BUR 250c Resting Electrocardiograph: 2.1.2

Welch Allyn ELI 150c Resting Electrocardiograph: 2.2.0

Welch Allyn ELI BUR 150c Resting Electrocardiograph: 2.2.0

Welch Allyn ELI MLBUR 150c Resting Electrocardiograph: 2.2.0

External links
http://ics-cert.us-cert.gov/advisories/icsma-22-167-01

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Hillrom Medical Welch Allyn medical devices