CVE-2021-43935

Summary

The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.

Affected Software

VendorProductVersion RangeStatus
HillromWelch Allyn Q-Stress Cardiac Stress Testing System6.0.0 <= 6.3.1affected
HillromWelch Allyn X-Scribe Cardiac Stress Testing System5.01 <= 6.3.1affected
HillromWelch Allyn Diagnostic Cardiology Suite2.1.0affected
HillromWelch Allyn Vision Express6.1.0 <= 6.4.0affected
HillromWelch Allyn H-Scribe Holter Analysis System5.01 <= 6.4.0affected
HillromWelch Allyn R-Scribe Resting ECG System5.01 <= 7.0.0affected
HillromWelch Allyn Connex Cardio1.0.0 <= 1.1.1affected

Weaknesses

  • CWE-288: CWE-288 Authentication Bypass Using an Alternate Path or Channel

Workarounds

-Disable the SSO feature in the respective Modality Manager Configuration settings. Please refer to the instructions for use (IFU) and/or service manual for instructions on how to disable SSO. -Apply proper network and physical security controls. -Apply authentication for server access.

ADP Enrichment

CVE Program Container

Additional References

References