CVE-2021-43935
ICSMA-21-343-01 Hillrom Welch Allyn Cardio Products
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.
Los productos afectados, cuando están configurados para usar SSO, están afectados por una vulnerabilidad de autenticación inapropiada. Esta vulnerabilidad permite que la aplicación acepte la entrada manual de cualquier cuenta del directorio activo (AD) provista en la aplicación sin suministrar una contraseña, resultando en el acceso a la aplicación como la cuenta AD suministrada, con todos los privilegios asociados
*Credits:
Hillrom reported this vulnerability to CISA
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-11-16 CVE Reserved
- 2021-12-15 CVE Published
- 2024-08-24 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsma-21-343-01 | Mitigation |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Baxter Search vendor "Baxter" | Welch Allyn Hscribe Holter Analysis System Firmware Search vendor "Baxter" for product "Welch Allyn Hscribe Holter Analysis System Firmware" | >= 5.01 <= 6.4.0 Search vendor "Baxter" for product "Welch Allyn Hscribe Holter Analysis System Firmware" and version " >= 5.01 <= 6.4.0" | - |
Affected
| in | Baxter Search vendor "Baxter" | Welch Allyn Hscribe Holter Analysis System Search vendor "Baxter" for product "Welch Allyn Hscribe Holter Analysis System" | - | - |
Safe
|
| Baxter Search vendor "Baxter" | Welch Allyn Q-stress Cardiac Stress Testing System Firmware Search vendor "Baxter" for product "Welch Allyn Q-stress Cardiac Stress Testing System Firmware" | >= 6.0.0 <= 6.3.1 Search vendor "Baxter" for product "Welch Allyn Q-stress Cardiac Stress Testing System Firmware" and version " >= 6.0.0 <= 6.3.1" | - |
Affected
| in | Baxter Search vendor "Baxter" | Welch Allyn Q-stress Cardiac Stress Testing System Search vendor "Baxter" for product "Welch Allyn Q-stress Cardiac Stress Testing System" | - | - |
Safe
|
| Baxter Search vendor "Baxter" | Welch Allyn Xscribe Cardiac Stress Testing System Firmware Search vendor "Baxter" for product "Welch Allyn Xscribe Cardiac Stress Testing System Firmware" | >= 5.01 <= 6.3.1 Search vendor "Baxter" for product "Welch Allyn Xscribe Cardiac Stress Testing System Firmware" and version " >= 5.01 <= 6.3.1" | - |
Affected
| in | Baxter Search vendor "Baxter" | Welch Allyn Xscribe Cardiac Stress Testing System Search vendor "Baxter" for product "Welch Allyn Xscribe Cardiac Stress Testing System" | - | - |
Safe
|
| Baxter Search vendor "Baxter" | Welch Allyn Connex Cardio Search vendor "Baxter" for product "Welch Allyn Connex Cardio" | >= 1.0.0 <= 1.1.1 Search vendor "Baxter" for product "Welch Allyn Connex Cardio" and version " >= 1.0.0 <= 1.1.1" | - |
Affected
| ||||||
| Baxter Search vendor "Baxter" | Welch Allyn Diagnostic Cardiology Suite Search vendor "Baxter" for product "Welch Allyn Diagnostic Cardiology Suite" | 2.1.0 Search vendor "Baxter" for product "Welch Allyn Diagnostic Cardiology Suite" and version "2.1.0" | - |
Affected
| ||||||
| Baxter Search vendor "Baxter" | Welch Allyn Rscribe Resting Ecg System Search vendor "Baxter" for product "Welch Allyn Rscribe Resting Ecg System" | >= 5.01 <= 7.0.0 Search vendor "Baxter" for product "Welch Allyn Rscribe Resting Ecg System" and version " >= 5.01 <= 7.0.0" | - |
Affected
| ||||||
| Baxter Search vendor "Baxter" | Welch Allyn Vision Express Holter Analysis System Search vendor "Baxter" for product "Welch Allyn Vision Express Holter Analysis System" | >= 6.1.0 <= 6.4.0 Search vendor "Baxter" for product "Welch Allyn Vision Express Holter Analysis System" and version " >= 6.1.0 <= 6.4.0" | - |
Affected
| ||||||