Hillrom Medical Device Management (Update B)

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption and remotely execute arbitrary code.

CVEs (2)

Remediations

• Welch Allyn Service Tool: v1.10
• Welch Allyn Software Development Kit (SDK): v3.2
• Welch Allyn Connex Central Station (CS): v1.8.4 Service Pack 01 (released November 2022)
• Welch Allyn Connex Device Integration Suite - Network Connectivity Engine (NCE): v5.3 (released September 2021)
• Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: v1.11.00 (Released October 2021)
• Welch Allyn Service Monitor: v1.7.0.0
• Welch Allyn Connex Vital Signs Monitor (CVSM): v2.43.02
• Welch Allen Connex Integrated Wall System (CIWS): v2.43.02
• Welch Allyn Connex Spot Monitor (CSM): v1.52
• Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: v1.11.00 (available Fall 2021)
• Hillrom recommends users to upgrade to the latest versions of their products. Information on how to update these products to their new versions can be found on the Hillrom disclosure page.
• Apply proper network and physical security controls.
• Apply authentication for server access.
• Apply data execution prevention (DEP) where applicable to help prevent shellcode from running. Address space layout randomization (ASLR) is built into standard Windows and Linux distributions.

Affected Vendors

Affected Products (9)

Affected Sectors

Healthcare and Public Health