CVE-2022-26388

Summary

A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph:

Versions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:

Versions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:

Versions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph:

Versions 2.2.0 and prior.

Affected Software

VendorProductVersion RangeStatus
Welch AllynELI 380 Resting Electrocardiograph0 <= 2.6.0affected
Welch AllynELI 280/BUR280/MLBUR 280 Resting Electrocardiograph0 <= 2.3.1affected
Welch AllynELI 250c/BUR 250c Resting Electrocardiograph0 <= 2.1.2affected
Welch AllynELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph0 <= 2.2.0affected

Weaknesses

  • CWE-259: CWE-259 Use of Hard-Coded Password

Workarounds

Hillrom recommends the following workarounds to help reduce risk:

  • Apply proper network and physical security controls.

  • Ensure a unique encryption key is configured for ELI Link and Cardiograph.

  • Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References