Vulnerabilities Discovered in Hillrom Medical Device Management Tools

Hillrom medical device management tools had been discovered to have two medium severity vulnerabilities that could cause the leakage of sensitive information, corruption of information, and execution of remote code.

CVE-2021-27410 is an out-of-bounds write vulnerability that could permit an attacker to bring about memory corruption and remote execution of arbitrary code. Although remote code execution is achievable, taking advantage of the vulnerability is very complex. The vulnerability has been designated a 5.9/10 CVSS v3 severity score.

CVE-2021-27408 is an out-of-bounds read issue vulnerability that could bring about data leakage and arbitrary code execution when mixed with the out-of-bounds write vulnerability. This vulnerability has been given a 5.9/10 CVSS severity score.

The vulnerabilities impacted the Hillrom Welch Allyn branded medical device management tools listed below:

  • Service Tool: before versions v1.10
  • Software Development Kit (SDK): before versions v3.2
  • Connex Device Integration Suite – Network Connectivity Engine (NCE): before versions v5.3
  • Connex Central Station (CS): before versions v1.8.6
  • Service Monitor: before versions v1.7.0.0
  • Connex Integrated Wall System (CIWS): before versions v2.43.02
  • Connex Vital Signs Monitor (CVSM): before versions v2.43.02
  • Connex Spot Monitor (CSM): before versions v1.52
  • Spot 4400 Vital Signs Extended Care Device/Spot Vital Signs 4400 Device (Spot 4400): before versions v1.11.00

Itamar Cohen-Matalon of Medigate Research Labs identified the vulnerabilities and reported them to Hillrom. Software updates had been released to fix the vulnerabilities. Clients are instructed to upgrade to the most recent versions of the software program to resolve the vulnerabilities and avert exploitation. Presently, there are no documented instances of vulnerability exploitation.

Welch Allyn product versions that have resolved vulnerabilities include the following:

  • Service Tool v1.10
  • Software Development Kit (SDK) v3.2
  • Connex Device Integration Suite – Network Connectivity Engine (NCE) v5.3 (available Summer 2021)
  • Connex Central Station (CS): v1.8.6 (available Fall 2021)
  • Connex Vital Signs Monitor (CVSM): v2.43.02
  • Service Monitor: v1.7.0.0
  • Connex Integrated Wall System (CIWS): v2.43.02
  • Spot 4400 Vital Signs Extended Care Device/Spot Vital Signs 4400 Device (Spot 4400): v1.11.00 (on the market in Fall 2021)
  • Connex Spot Monitor (CSM): v1.52

Hillrom additionally advises using the appropriate system and physical security settings, implementing authentication for server access, and utilizing data execution prevention (DEP) wherever possible to keep the shellcode from running.