CVE-2021-43935 : What You Need to Know
Discover the authentication vulnerability impacting Welch Allyn cardiovascular products by Hillrom. Learn the impact, affected versions, mitigation steps, and how to prevent unauthorized application access.
Welch Allyn cardiovascular products by Hillrom are vulnerable to improper authentication when configured with SSO.
Understanding CVE-2021-43935
This CVE highlights an authentication vulnerability affecting various Welch Allyn cardiovascular products.
What is CVE-2021-43935?
The vulnerability allows unauthorized application access by accepting manual entry of AD accounts without passwords when using SSO.
The Impact of CVE-2021-43935
- CVSS Score: 8.1 (High)
- Attack Complexity: High
- Attack Vector: Network
- Impact: High confidentiality, integrity, and availability without needing privileges.
Technical Details of CVE-2021-43935
This section provides specific technical insights into the vulnerability.
Vulnerability Description
The vulnerability permits manual entry of any AD account without a password, granting unauthorized application access.
Affected Systems and Versions
- Welch Allyn Q-Stress Cardiac Stress Testing System 6.0.0, X-Scribe 5.01, Diagnostic Cardiology Suite 2.1.0, etc.
Exploitation Mechanism
Unauthorized users can input any AD account without a password while using SSO for application access.
Mitigation and Prevention
To secure the impacted systems and prevent exploitation:
Immediate Steps to Take
- Disable the SSO feature in Modality Manager Configuration.
- Implement network and physical security controls.
- Enable authentication for server access.
Long-Term Security Practices
- Regularly update products to the latest versions.
- Follow Hillrom's instructions for updating the products.
Patching and Updates
- Hillrom advises upgrading affected products when new versions are available for enhanced security.