Hillrom Medical Device Management (Update B)

MonitorCVSS 5.9ICS-CERT ICSMA-21-152-01Jun 1, 2021

Healthcare

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Buffer overflow and out-of-bounds read vulnerabilities in Hillrom Welch Allyn medical device management products could allow an attacker to cause memory corruption and remotely execute arbitrary code on patient monitoring devices. Affected products include Connex Spot Monitor, Connex Integrated Wall System, Connex Vital Signs Monitor, Connex Central Station, Spot Vital Signs 4400 devices, and related software integration and development tools. Hillrom has released patched versions for all affected products. These vulnerabilities have high attack complexity, and no known public exploits are currently available.

What this means

What could happen

An attacker could exploit memory corruption in Welch Allyn patient monitoring and vital signs devices to run arbitrary code, potentially allowing tampering with patient data, disabling alarms, or disrupting real-time vital sign monitoring in critical care settings.

Who's at risk

Healthcare facilities using Welch Allyn patient monitoring equipment, including hospital intensive care units, cardiac care, and emergency departments. Specifically affects Connex Spot Monitor, Connex Integrated Wall System, Connex Vital Signs Monitor, Connex Central Station, Spot Vital Signs 4400 devices, and Welch Allyn integration software used for device management and network connectivity.

How it could be exploited

An attacker with local network access to a vulnerable Welch Allyn device could send a specially crafted message to trigger a buffer overflow or out-of-bounds memory read, causing the device to execute arbitrary code. The vulnerabilities have high attack complexity, requiring specific conditions or device state to trigger.

Prerequisites

Network access to the vulnerable Welch Allyn device on the medical network
Knowledge of the specific message format or device state required to trigger the memory corruption
Local network position or ability to send traffic to the device (remote exploitation less likely given high attack complexity)

No authentication required for exploitationHigh attack complexity reduces likelihoodAffects patient safety systems and real-time monitoringMultiple device types across the Welch Allyn product lineLow EPSS score (0.5%) indicates low near-term exploit probability

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

Welch Allyn Connex Spot Monitor (CSM):< 1.52v1.52

Welch Allyn Connex Integrated Wall System (CIWS):< 2.43.02v2.43.02

Welch Allyn Connex Vital Signs Monitor (CVSM):< 2.43.02v2.43.02

Welch Allyn Connex Central Station (CS):< 1.8.4 Service Pack 01v1.8.4 Service Pack 01

Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device:< 1.11.00v1.11.00

Welch Allyn Software Development Kit (SDK):< 3.2v3.2

Welch Allyn Service Tool:< 1.10v1.10

Welch Allyn Connex Device Integration Suite - Network Connectivity Engine (NCE):< 5.3v5.3

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate patient monitoring networks from the business network using firewalls; ensure monitoring devices are not directly accessible from enterprise or internet-facing networks

HARDENINGRequire authentication for all server and management access to monitoring devices and centralized monitoring systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device:

HOTFIXUpdate all affected Welch Allyn devices to patched versions: Connex Spot Monitor v1.52, Connex Integrated Wall System v2.43.02, Connex Vital Signs Monitor v2.43.02, Connex Central Station v1.8.4 SP01, Spot 4400 v1.11.00, SDK v3.2, Service Tool v1.10, NCE v5.3, Service Monitor v1.7.0.0

All products

HARDENINGEnable Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) on systems running Welch Allyn software where applicable

CVEs (2)

CVE-2021-27410 CVE-2021-27408

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e9ee11a1-6dd2-4caa-868b-e8b8abd224d4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.