CVE-2021-43935

Published: Dec 15, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.

Affected (7)

Products: Baxter: Welch Allyn Connex Cardio, Welch Allyn Diagnostic Cardiology Suite, Welch Allyn Rscribe Resting Ecg System, Welch Allyn Vision Express Holter Analysis System, Welch Allyn Hscribe Holter Analysis System Firmware, Welch Allyn Q Stress Cardiac Stress Testing System Firmware, Welch Allyn Xscribe Cardiac Stress Testing System Firmware

Baxter

7 products

Welch Allyn Connex Cardio

Welch Allyn Diagnostic Cardiology Suite

Welch Allyn Rscribe Resting Ecg System

Welch Allyn Vision Express Holter Analysis System

Welch Allyn Hscribe Holter Analysis System Firmware

Welch Allyn Q Stress Cardiac Stress Testing System Firmware

Welch Allyn Xscribe Cardiac Stress Testing System Firmware

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Baxter Welch Allyn Connex Cardio	From 1.0.0 to 1.1.1
Baxter Welch Allyn Diagnostic Cardiology Suite	Version 2.1.0
Baxter Welch Allyn Rscribe Resting Ecg System	From 5.01 to 7.0.0
Baxter Welch Allyn Vision Express Holter Analysis System	From 6.1.0 to 6.4.0

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Baxter Welch Allyn Hscribe Holter Analysis System Firmware	From 5.01 to 6.4.0

Running on/with	Platform Versions
Baxter Welch Allyn Hscribe Holter Analysis System	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Baxter Welch Allyn Q Stress Cardiac Stress Testing System Firmware	From 6.0.0 to 6.3.1

Running on/with	Platform Versions
Baxter Welch Allyn Q Stress Cardiac Stress Testing System	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Baxter Welch Allyn Xscribe Cardiac Stress Testing System Firmware	From 5.01 to 6.3.1

Running on/with	Platform Versions
Baxter Welch Allyn Xscribe Cardiac Stress Testing System	All versions

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-288

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (2)

https://www.cisa.gov/uscert/ics/advisories/icsma-21-343-01

Source: ics-cert@hq.dhs.gov

MitigationThird Party AdvisoryUS Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsma-21-343-01

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationThird Party AdvisoryUS Government Resource

Timeline

No history available yet.