Advisory - Hillrom Medical Device Management

Summary

The electronics and IT technology embedded in medical devices and Healthcare IT systems is contributing to greater precision in healthcare. However it is now among the sectors most targeted by cyberattacks globally, including Ransomware attacks.

Recently, CVE-2022-26388 and CVE-2022-26389 have been published regarding a healthcare device - Electrocardiograph machines.

CVE-2022-26388, which has a Medium CVSS rating of 6.4, is a 'use of hard-coded password' vulnerability. The products affected use hard-coded passwords for inbound authentication or outbound communication to external components. This vulnerability has a low attack complexity. An adversary can exploit it and compromise data and other user credentials, causing essentially a breakdown of the healthcare services.

Hard coded passwords and passwords logged in cleartext appear predominantly in hardware devices such as routers, switches, cameras and such others which are difficult to service, and are usually embedded in firmware code for "ease of support". A quick search for "hardcoded password" on NVD.nist.gov shows that since 2015 the count of "hard coded password" vulnerabilities has consistently increased, reaching 63 for 2021.

CVE-2022-26389, which has a high CVSS rating of 7.7, is a vulnerability caused by improper access control because software does not restrict or incorrectly restricts access to a resource from an authorised actor. This vulnerability has a high attack complexity. Broken or improper access control issues are among the most frequently found during our pen-tests, and is the first among OWASP top 10 2021.

Solution

Update to the lastest version of the software as soon as possible.

If update is not a feasible option, then there are some workarounds by Hillrom that would reduce the risk considerably:

  1. Apply proper network and physical security controls.
  2. Ensure a unique encryption key is configured for the devices.
  3. Where possible, use a firewall.

CVEs

CVE-2022-26388

CVE-2022-26389

Resources

Authors: Narendra Kumawat, Mahesh Saptarshi

For more information contact:contact@cybersecurist.com

SO WHAT CAN WE DO FOR YOU ?

For all your software product security and IT security compliance requirements

Contact us ☎