CISA: Authentication Flaw in Certain Hillrom Cardio ProductsExploitation Could Allow Remote Attackers Access to Privileged Accounts
Federal regulators are warning healthcare sector entities worldwide that an authentication vulnerability in a variety of Hillrom Welch Allyn cardio products, if exploited, could allow attackers access to privileged accounts.
The alert from the Cybersecurity and Infrastructure Security Agency says the "authentication bypass using an alternate path or channel” vulnerability, which can be exploited remotely, has a CVSS v3 base score of 8.1, and was recently reported by Hillrom to CISA.
Hillrom was acquired on Monday by medical technology vendor Baxter International.
"The impacted products, when configured to use single sign-on, are affected by an improper authentication vulnerability," CISA says.
"This vulnerability allows the application to accept manual entry of any [Windows] Active Directory account provisioned in the application without supplying a password, resulting in access to the application as the supplied Active Directory account, with all associated privileges," CISA says.
"Successful exploitation of this vulnerability could allow an attacker to access privileged accounts."
The vulnerability affects a variety of Hillrom cardiology products when configured to use single sign-on. Those include:
- Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0 through 6.3.1;
- Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1;
- Welch Allyn Diagnostic Cardiology Suite: Version 2.1;
- Welch Allyn Vision Express: Versions 6.1.0 through 6.4;
- Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4;
- Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0;
- Welch Allyn Connex Cardio: Versions 1.0 through 1.1.1.
Hillrom is planning to release software updates to address the vulnerability in the company's next software release, the company says in its own advisory. The company recommends users upgrade to the latest product versions when those updated products are available.
In the interim, Hillrom recommends disabling the single sign-on feature in the respective modality manager configuration settings to reduce risk.
Hillrom also recommends workarounds including applying proper network and physical security controls and applying authentication for server access.
Hillrom did not immediately respond to an Information Security Media Group request for additional information about the vulnerability, including how many products in use by healthcare providers worldwide are affected.
Risks to Healthcare Settings
Some experts say the type of vulnerability identified poses certain security concerns if exploited.
Elad Luz, the head of research at healthcare security firm CyberMDX, says the vulnerability appears to only pose risk to the data kept within the affected products' Modality Manager.
"That being said, there might be multiple systems in the hospital working with the same Modality Manager, so it's possible that patient data generated by all of them will be compromised, but to my understanding this would not go further," he says.
"With such access, a bad actor could potentially steal medical records, encrypt them and ask for ransom, or even alter them to affect care and cause a false diagnosis," he says. "So while it may not have the same potential as other vulnerabilities to spread to other parts of the network, it can still cause significant problems to the systems."
The vulnerability involving the Hillrom cardio products "shows that modalities have keys to the castle, including apps, devices, data and user privileges," says Michael Holt, president and CEO of healthcare security vendor Virta Labs.
"This is similar to past medical device security issues with other vendors using kiosk modes or embedded tokens for ease of use and to avoid clinician lockout. Like the Log4j incident, this event presents the Swiss cheese design of software, hardware and networks," he says, referring to the recent zero-day vulnerability detected in the Java logging library Apache Log4j that can result in full server takeover and leaves a large array of applications vulnerable.
Any vulnerability providing attackers potential privileged account access is worrisome, other experts say.
"Privileged accounts allow for greater access, which increases the amount of potential damage an attacker can do," says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.
"You have both the direct risk of the device itself being compromised, plus the attacker has now gained a foothold on the network," he says. "This could potentially allow for lateral movement and an opportunity for an attacker to compromise other vulnerable devices, networks and environments."
While the identified vulnerability in the Hillrom situation involves single sign-on configurations of the affected cardiac products, in general, single sign-on is a common practice used for other healthcare systems and devices, according to Denkers.
"It’s designed to help solve fragmented and siloed authentication processes across various devices and applications," he says. "In turn, this simplifies the logon process for users, making it easier to perform their duties across an enterprise network," he says.
Luz offers a similar assessment: "Single sign-on would usually be adopted by server software, and the reason it would be used is the fact that it is much more convenient for both users and administrators."
It is often used by a variety of different systems in healthcare, such as electronic medical records to access patient data, Dicom servers to view and diagnose imaging data, and other software or web interfaces used for managing fleets of medical devices such as infusion pumps and glucometers, he says.
While healthcare was already rapidly digitizing before the onset of COVID-19, the outbreak of the pandemic accelerated the process even more, Luz says.
"The result is that today the modern healthcare network is so distributed, heterogenous and complex that it can no longer be protected by enforcing policies on the perimeter alone.
"As a result, the best option to secure these networks is a layered, device-centric approach with built-in Zero Trust policies that will help prevent breaches and contain the scope of any that do occur."
Looking ahead to 2022, Denkers says he expects to see awareness of the cybersecurity concerns involving medical devices continue to grow as the impacts of these issues have real-world consequences.
He says: "I also wouldn't be surprised to see medical devices play a more pivotal role in a more traditional ransomware attack."