CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
68.4%
This updated advisory is a follow-up to the original advisory titled ICSMA-21-355-01 Fresenius Kabi Agilia Connect Infusion System that was published December 21, 2021, to the ICS webpage on www.cisa.gov/uscert.
--------- Begin Update A Part 1 of 1 ---------
Successful exploitation of these vulnerabilities in system accessories could allow an attacker to gain access to sensitive information, modify settings or parameters, or perform arbitrary actions as an authenticated user.
According to Fresenius Kabi, the Agilia infusion pump alarm is not impacted by the vulnerabilities described in this advisory. Fresenius Kabi maintains the infusion parameters are preserved, current infusion is not interrupted, and no unacceptable patient risk is identified. Fresenius Kabi also maintains there is no risk of exposure of personally identifiable information (PII) or protected health information (PHI).
--------- End Update A Part 1 of 1 ---------
The following accesories of the Agilia Connect Infusion System, are affected:
Requests may be used to interrupt the normal operation of the device. When exploited, Agilia Link+ must be rebooted via a hard reset triggered by pressing a button on the rack system.
CVE-2021-23236 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The SSL/TLS configuration of Agilia Link+ has serious deficiencies that may allow an attacker to compromise SSL/TLS sessions in different ways. An attacker may be able to eavesdrop on transferred data, manipulate data allegedly secured by SSL/TLS, and impersonate an entity to gain access to sensitive information.
CVE-2021-31562 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
The Agilia Link+ management interface does not enforce transport layer encryption. Therefore, transmitted data may be sent in cleartext. Transport layer encryption is offered on Port TCP/443, but the affected service does not perform an automated redirect from the unencrypted service on Port TCP/80 to the encrypted service.
CVE-2021-41835 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The web application on Agilia Link+ implements authentication and session management mechanisms exclusively on the client-side and does not protect authentication attributes sufficiently.
CVE-2021-23196 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Sensitive endpoints can be accessed without any authentication information such as the session cookie. An attacker can send requests to sensitive endpoints as an unauthenticated user to perform critical actions on Agilia Link+ or modify critical configuration parameters.
CVE-2021-23233 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed application and impersonate arbitrary users. An attacker could manipulate RabbitMQ queues and messages by impersonating users.
CVE-2021-23207 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
Agilia SP MC WiFi has a default configuration page accessible without authentication. An attacker may use this functionality to change the exposed configuration values such as network settings.
CVE-2021-33843 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Vigilant API has the option for automated indexing (directory listing) activated. When accessing a directory, a web server delivers its entire content in HTML form. If an index file does not exist and directory listing is enabled, all content of the directory will be displayed, allowing an attacker to identify and access files on the server.
CVE-2021-23195 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Vigilant Centerium Dashboard is vulnerable to reflected cross-site scripting attacks. An attacker could inject JavaScript in a GET parameter of HTTP requests and perform unauthorized actions such as stealing internal information and performing actions in context of an authenticated user.
CVE-2021-33848 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).
The Vigilant MasterMed application contains service credentials likely to be common across all instances. An attacker in possession of the password may gain privileges on all installations of this software.
CVE-2021-44464 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The Vigilant MasterMed application issues authentication tokens to authenticated users that are signed with a symmetric encryption key. An attacker in possession of the key can issue valid JWTs and impersonate arbitrary users.
CVE-2021-33846 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N).
The Vigilant MasterMed application allows user input to be validated on the client side without authentication by the server. The server should not rely on the correctness of the data because users might not support or block JavaScript or intentionally bypass the client-side checks. An attacker with knowledge of the service user could circumvent the client-side control and login with service privileges.
CVE-2021-43355 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The affected system is using ExpertPdf library and lighttpd web server, which are both out of date. Outdated software may contain vulnerabilities not publicly known but may be reverse engineered by an attacker.
CVE-2020-35340 has been assigned to one of the publicly known vulnerabilities in ExpertPdf library. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Julian Suleder, Nils Emmerich, and Raphael Pavlidis of ERNW Research GmbH, and Dr. Oliver Matula (ERNW Enno Rey Netzwerke GmbH) reported these vulnerabilities to the German Federal Office for Information Security (BSI) in the context of the BSI ManiMed project.
Fresenius Kabi has created new versions to address these vulnerabilities:
Fresenius Kabi has initiated communication on this topic in April 2021 with users to inform them about availability of the new versions in corresponding countries. Contact Fresenius Kabi online or by phone at 1-800-333-6925 for more update information.
Fresenius Kabi also identified that early Link+ devices (approximatively 1,200 devices) would need hardware change to support D16 or later firmware. Until those devices can be replaced in usersβ installation, Fresenius Kabi recommends users to rely on CISA recommendations below.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploits specifically target these vulnerabilities
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35340
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23195
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23196
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23207
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23233
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23236
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31562
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33843
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33846
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33848
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41835
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43355
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44464
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-355-01
cwe.mitre.org/data/definitions/1104.html
cwe.mitre.org/data/definitions/256.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/327.html
cwe.mitre.org/data/definitions/327.html
cwe.mitre.org/data/definitions/327.html
cwe.mitre.org/data/definitions/400.html
cwe.mitre.org/data/definitions/522.html
cwe.mitre.org/data/definitions/548.html
cwe.mitre.org/data/definitions/552.html
cwe.mitre.org/data/definitions/603.html
cwe.mitre.org/data/definitions/79.html
cwe.mitre.org/data/definitions/798.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Fresenius%20Kabi%20Agilia%20Connect%20Infusion%20System%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-355-01
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/recommended-practices
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/sites/default/files/publications/emailscams_0905.pdf
www.cisa.gov/uscert/sites/default/files/publications/emailscams_0905.pdf
www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-355-01&title=Fresenius%20Kabi%20Agilia%20Connect%20Infusion%20System%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
www.fresenius-kabi.com/us/contact
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-355-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Fresenius%20Kabi%20Agilia%20Connect%20Infusion%20System%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-21-355-01
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
68.4%