cvelistv5 - cve-2022-26388

CVE-2022-26388 (GCVE-0-2022-26388)

Vulnerability from cvelistv5 – Published: 2025-02-07 17:06 – Updated: 2025-02-07 18:50

Summary

A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: Versions 2.2.0 and prior.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-259 - Use of Hard-Coded Password

Assigner

Baxter

References

URL

Tags

	https://www.cisa.gov/news-events/ics-medical-advi…
	https://hillrom.com/en/responsible-disclosures/

Impacted products

Vendor

Product

Version

Welch Allyn

ELI 380 Resting Electrocardiograph

Affected: 0 , ≤ 2.6.0 (custom)

Welch Allyn	ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph	Affected: 0 , ≤ 2.3.1 (custom)
Welch Allyn	ELI 250c/BUR 250c Resting Electrocardiograph	Affected: 0 , ≤ 2.1.2 (custom)
Welch Allyn	ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph	Affected: 0 , ≤ 2.2.0 (custom)

Credits

An anonymous user reported these vulnerabilities to Hillrom.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-26388",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T18:50:50.198188Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-07T18:50:58.812Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ELI 380 Resting Electrocardiograph",
          "vendor": "Welch Allyn",
          "versions": [
            {
              "lessThanOrEqual": "2.6.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph",
          "vendor": "Welch Allyn",
          "versions": [
            {
              "lessThanOrEqual": "2.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ELI 250c/BUR 250c Resting Electrocardiograph",
          "vendor": "Welch Allyn",
          "versions": [
            {
              "lessThanOrEqual": "2.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph",
          "vendor": "Welch Allyn",
          "versions": [
            {
              "lessThanOrEqual": "2.2.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "An anonymous user reported these vulnerabilities to Hillrom."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A use of hard-coded password vulnerability may allow authentication abuse.\u003cp\u003eThis issue affects ELI 380 Resting Electrocardiograph: \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.6.0 and prior\u003c/span\u003e; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.3.1 and prior\u003c/span\u003e; ELI 250c/BUR 250c Resting Electrocardiograph:\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.1.2 and prior\u003c/span\u003e; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions 2.2.0 and prior\u003c/span\u003e.\u003c/p\u003e"
            }
          ],
          "value": "A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: \n\nVersions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\n\nVersions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:\n\nVersions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \n\nVersions 2.2.0 and prior."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-114",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-114 Authentication Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-259",
              "description": "CWE-259 Use of Hard-Coded Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-07T17:06:30.134Z",
        "orgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
        "shortName": "Baxter"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01"
        },
        {
          "url": "https://hillrom.com/en/responsible-disclosures/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eHillrom has released software updates for all impacted devices to \naddress these vulnerabilities. New product versions that mitigate these \nvulnerabilities are available as follows:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWelch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023\u003c/li\u003e\n\u003cli\u003eWelch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022\u003c/li\u003e\n\u003cli\u003eWelch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023\u003c/li\u003e\n\u003c/ul\u003e\n\n\nHillrom recommends users upgrade to the latest product versions. \nInformation on how to update these products can be found on the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://hillrom.com/en/responsible-disclosures/\"\u003eHillrom disclosure page\u003c/a\u003e.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Hillrom has released software updates for all impacted devices to \naddress these vulnerabilities. New product versions that mitigate these \nvulnerabilities are available as follows:\n\n\n\n  *  Welch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023\n\n  *  Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022\n\n  *  Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023\n\n\n\n\n\n\nHillrom recommends users upgrade to the latest product versions. \nInformation on how to update these products can be found on the  Hillrom disclosure page https://hillrom.com/en/responsible-disclosures/ ."
        }
      ],
      "source": {
        "advisory": "ICSMA-22-167-01",
        "discovery": "EXTERNAL"
      },
      "title": "Use of Hard-Coded Password Vulnerability in ELI Electrocardiograph Devices",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eHillrom recommends the following workarounds to help reduce risk:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eApply proper network and physical security controls.\u003c/li\u003e\n\u003cli\u003eEnsure a unique encryption key is configured for ELI Link and Cardiograph.\u003c/li\u003e\n\u003cli\u003eWhere possible, use a firewall to prevent communication on Port 21 \nFTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet \nservice.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Hillrom recommends the following workarounds to help reduce risk:\n\n\n\n  *  Apply proper network and physical security controls.\n\n  *  Ensure a unique encryption key is configured for ELI Link and Cardiograph.\n\n  *  Where possible, use a firewall to prevent communication on Port 21 \nFTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet \nservice."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa",
    "assignerShortName": "Baxter",
    "cveId": "CVE-2022-26388",
    "datePublished": "2025-02-07T17:06:30.134Z",
    "dateReserved": "2022-03-03T22:04:24.533Z",
    "dateUpdated": "2025-02-07T18:50:58.812Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-26388\",\"sourceIdentifier\":\"productsecurity@baxter.com\",\"published\":\"2025-02-07T17:15:21.960\",\"lastModified\":\"2025-02-07T17:15:21.960\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: \\n\\nVersions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\\n\\nVersions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:\\n\\nVersions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \\n\\nVersions 2.2.0 and prior.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el uso de contrase\u00f1as codificadas de forma r\u00edgida puede permitir el abuso de la autenticaci\u00f3n. Este problema afecta al electrocardi\u00f3grafo en reposo ELI 380: versiones 2.6.0 y anteriores; al electrocardi\u00f3grafo en reposo ELI 280/BUR280/MLBUR 280: versiones 2.3.1 y anteriores; al electrocardi\u00f3grafo en reposo ELI 250c/BUR 250c: versiones 2.1.2 y anteriores; al electrocardi\u00f3grafo en reposo ELI 150c/BUR 150c/MLBUR 150c: versiones 2.2.0 y anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"productsecurity@baxter.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"productsecurity@baxter.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-259\"}]}],\"references\":[{\"url\":\"https://hillrom.com/en/responsible-disclosures/\",\"source\":\"productsecurity@baxter.com\"},{\"url\":\"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01\",\"source\":\"productsecurity@baxter.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-26388\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-07T18:50:50.198188Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-07T18:50:43.780Z\"}}], \"cna\": {\"title\": \"Use of Hard-Coded Password Vulnerability in ELI Electrocardiograph Devices\", \"source\": {\"advisory\": \"ICSMA-22-167-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"An anonymous user reported these vulnerabilities to Hillrom.\"}], \"impacts\": [{\"capecId\": \"CAPEC-114\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-114 Authentication Abuse\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Welch Allyn\", \"product\": \"ELI 380 Resting Electrocardiograph\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.6.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Welch Allyn\", \"product\": \"ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.3.1\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Welch Allyn\", \"product\": \"ELI 250c/BUR 250c Resting Electrocardiograph\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.1.2\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Welch Allyn\", \"product\": \"ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.2.0\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Hillrom has released software updates for all impacted devices to \\naddress these vulnerabilities. New product versions that mitigate these \\nvulnerabilities are available as follows:\\n\\n\\n\\n  *  Welch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023\\n\\n  *  Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022\\n\\n  *  Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023\\n\\n\\n\\n\\n\\n\\nHillrom recommends users upgrade to the latest product versions. \\nInformation on how to update these products can be found on the  Hillrom disclosure page https://hillrom.com/en/responsible-disclosures/ .\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eHillrom has released software updates for all impacted devices to \\naddress these vulnerabilities. New product versions that mitigate these \\nvulnerabilities are available as follows:\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003eWelch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023\u003c/li\u003e\\n\u003cli\u003eWelch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022\u003c/li\u003e\\n\u003cli\u003eWelch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023\u003c/li\u003e\\n\u003c/ul\u003e\\n\\n\\nHillrom recommends users upgrade to the latest product versions. \\nInformation on how to update these products can be found on the \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://hillrom.com/en/responsible-disclosures/\\\"\u003eHillrom disclosure page\u003c/a\u003e.\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01\"}, {\"url\": \"https://hillrom.com/en/responsible-disclosures/\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Hillrom recommends the following workarounds to help reduce risk:\\n\\n\\n\\n  *  Apply proper network and physical security controls.\\n\\n  *  Ensure a unique encryption key is configured for ELI Link and Cardiograph.\\n\\n  *  Where possible, use a firewall to prevent communication on Port 21 \\nFTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet \\nservice.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eHillrom recommends the following workarounds to help reduce risk:\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003eApply proper network and physical security controls.\u003c/li\u003e\\n\u003cli\u003eEnsure a unique encryption key is configured for ELI Link and Cardiograph.\u003c/li\u003e\\n\u003cli\u003eWhere possible, use a firewall to prevent communication on Port 21 \\nFTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet \\nservice.\u003c/li\u003e\\n\u003c/ul\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: \\n\\nVersions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\\n\\nVersions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:\\n\\nVersions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \\n\\nVersions 2.2.0 and prior.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A use of hard-coded password vulnerability may allow authentication abuse.\u003cp\u003eThis issue affects ELI 380 Resting Electrocardiograph: \\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eVersions 2.6.0 and prior\u003c/span\u003e; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eVersions 2.3.1 and prior\u003c/span\u003e; ELI 250c/BUR 250c Resting Electrocardiograph:\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eVersions 2.1.2 and prior\u003c/span\u003e; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eVersions 2.2.0 and prior\u003c/span\u003e.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-259\", \"description\": \"CWE-259 Use of Hard-Coded Password\"}]}], \"providerMetadata\": {\"orgId\": \"dba971b9-eb30-4121-91e1-3b45611354aa\", \"shortName\": \"Baxter\", \"dateUpdated\": \"2025-02-07T17:06:30.134Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-26388\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-07T18:50:58.812Z\", \"dateReserved\": \"2022-03-03T22:04:24.533Z\", \"assignerOrgId\": \"dba971b9-eb30-4121-91e1-3b45611354aa\", \"datePublished\": \"2025-02-07T17:06:30.134Z\", \"assignerShortName\": \"Baxter\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-4FPR-4QRV-R2VM

Vulnerability from github – Published: 2025-02-07 18:31 – Updated: 2025-02-07 18:31

Details

A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph:

Versions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:

Versions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:

Versions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph:

Versions 2.2.0 and prior.

Severity ?

6.4 (Medium)


                  
                    CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-26388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-259"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-07T17:15:21Z",
    "severity": "MODERATE"
  },
  "details": "A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: \n\nVersions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\n\nVersions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:\n\nVersions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \n\nVersions 2.2.0 and prior.",
  "id": "GHSA-4fpr-4qrv-r2vm",
  "modified": "2025-02-07T18:31:23Z",
  "published": "2025-02-07T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26388"
    },
    {
      "type": "WEB",
      "url": "https://hillrom.com/en/responsible-disclosures"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2022-26388

Vulnerability from fkie_nvd - Published: 2025-02-07 17:15 - Updated: 2025-02-07 17:15

Severity ?

6.4 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Summary

References

	URL	Tags
	productsecurity@baxter.com	https://hillrom.com/en/responsible-disclosures/
	productsecurity@baxter.com	https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: \n\nVersions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:\n\nVersions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph:\n\nVersions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: \n\nVersions 2.2.0 and prior."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el uso de contrase\u00f1as codificadas de forma r\u00edgida puede permitir el abuso de la autenticaci\u00f3n. Este problema afecta al electrocardi\u00f3grafo en reposo ELI 380: versiones 2.6.0 y anteriores; al electrocardi\u00f3grafo en reposo ELI 280/BUR280/MLBUR 280: versiones 2.3.1 y anteriores; al electrocardi\u00f3grafo en reposo ELI 250c/BUR 250c: versiones 2.1.2 y anteriores; al electrocardi\u00f3grafo en reposo ELI 150c/BUR 150c/MLBUR 150c: versiones 2.2.0 y anteriores."
    }
  ],
  "id": "CVE-2022-26388",
  "lastModified": "2025-02-07T17:15:21.960",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "LOW",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.5,
        "source": "productsecurity@baxter.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-07T17:15:21.960",
  "references": [
    {
      "source": "productsecurity@baxter.com",
      "url": "https://hillrom.com/en/responsible-disclosures/"
    },
    {
      "source": "productsecurity@baxter.com",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01"
    }
  ],
  "sourceIdentifier": "productsecurity@baxter.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-259"
        }
      ],
      "source": "productsecurity@baxter.com",
      "type": "Secondary"
    }
  ]
}

ICSMA-22-167-01

Vulnerability from csaf_cisa - Published: 2022-06-16 00:00 - Updated: 2022-06-16 00:00

Summary

Hillrom Medical Device Management

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow an attacker to compromise software security by executing commands, gaining privileges, reading sensitive information, evading detection, etc.

Critical infrastructure sectors

Healthcare and Public Health

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/icsSeveral recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/icsin the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "an anonymous party"
        ],
        "summary": "reporting these vulnerabilities to Hillrom"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an attacker to compromise software security by executing commands, gaining privileges, reading sensitive information, evading detection, etc.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Healthcare and Public Health",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/icsSeveral recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/icsin the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-22-167-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsma-22-167-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-22-167-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Hillrom Medical Device Management",
    "tracking": {
      "current_release_date": "2022-06-16T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSMA-22-167-01",
      "initial_release_date": "2022-06-16T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2022-06-16T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-22-167-01 Hillrom Medical Device Management"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.2.0",
                "product": {
                  "name": "Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: Versions 2.2.0 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.1.2",
                "product": {
                  "name": "Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.3.1",
                "product": {
                  "name": "Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.6.0",
                "product": {
                  "name": "Welch Allyn ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "Welch Allyn ELI 380 Resting Electrocardiograph"
          }
        ],
        "category": "vendor",
        "name": "Hillrom and ELI, Baxter International Inc."
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-26388",
      "cwe": {
        "id": "CWE-259",
        "name": "Use of Hard-coded Password"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected products contain hard-coded (unchangeable) passwords used for inbound authentication or outbound communication to external components.CVE-2022-26388 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26388"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Hillrom has released software updates for all impacted devices to address these vulnerabilities. New product versions that mitigate these vulnerabilities are available as follows:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Hillrom recommends users upgrade to the latest product versions. Information on how to update these products can be found on the Hillrom disclosure page.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://hillrom.com/en/responsible-disclosures/"
        },
        {
          "category": "vendor_fix",
          "details": "Hillrom recommends the following workarounds to help reduce risk:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-26389",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.CVE-2022-26389 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26389"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Hillrom has released software updates for all impacted devices to address these vulnerabilities. New product versions that mitigate these vulnerabilities are available as follows:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Hillrom recommends users upgrade to the latest product versions. Information on how to update these products can be found on the Hillrom disclosure page.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ],
          "url": "https://hillrom.com/en/responsible-disclosures/"
        },
        {
          "category": "vendor_fix",
          "details": "Hillrom recommends the following workarounds to help reduce risk:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ]
    }
  ]
}

GSD-2022-26388

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2022-26388

Aliases

CVE-2022-26388

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-26388",
    "id": "GSD-2022-26388"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-26388"
      ],
      "id": "GSD-2022-26388",
      "modified": "2023-12-13T01:19:38.877418Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-26388",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-26388 (GCVE-0-2022-26388)

GHSA-4FPR-4QRV-R2VM

FKIE_CVE-2022-26388

ICSMA-22-167-01

GSD-2022-26388

Tags

Sightings

Nomenclature