CVE-2022-26389

Summary

An improper access control vulnerability may allow privilege escalation.This issue affects: 

  • ELI 380 Resting Electrocardiograph:

Versions 2.6.0 and prior; 

  • ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:

Versions 2.3.1 and prior; 

  • ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior; 
  • ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph:

Versions 2.2.0 and prior.

Affected Software

VendorProductVersion RangeStatus
Baxter/ HillromELI 380 Resting Electrocardiograph0 <= 2.6.0affected
Welch AllynELI 280/BUR280/MLBUR 280 Resting Electrocardiograph0 <= 2.3.1affected
Welch AllynELI 250c/BUR 250c Resting Electrocardiograph0 <= 2.1.2affected
Welch AllynELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph0 <= 2.2.0affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

Hillrom recommends the following workarounds to help reduce risk:

  • Apply proper network and physical security controls.

  • Ensure a unique encryption key is configured for ELI Link and Cardiograph.

  • Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References