CISA Warns of 13 Vulnerabilities in Fresenius Kabi Infusion Systems

December 27, 2021 - The Cybersecurity & Infrastructure Security Agency (CISA) released an advisory regarding 13 newly discovered vulnerabilities in Fresenius Kabi Agilia Connect Infusion Systems that could pose risks to patient safety and security.

If successfully exploited, threat actors could gain access to sensitive information, modify infusion pump settings, or perform arbitrary actions while disguised as an authenticated user.

The vulnerabilities are exploitable remotely and have a low attack complexity. However, no incidents relating to these vulnerabilities have been reported at this time.

The vulnerabilities specifically impact the Agilia Connect WiFi module of the pumps vD25 and prior, Agilia Link+ v3.0 D15 and prior, the Vigilant Software Suite v1.0: Vigilant Centerium, Vigilant MasterMed and Vigilant Insight, and the Agilia Partner maintenance software v3.3.0 and prior.

Researchers initially reported these vulnerabilities to the German Federal Office for Information Security (BSI). They discovered that the systems contained serious vulnerabilities such as uncontrolled resource consumption, insufficiently protected credentials, and improper access controls.

In addition, researchers found that the SSL/TLS configuration of Agilia Link+ has deficiencies that may allow a hacker to eavesdrop on transferred data, impersonate an entity to gain access to information, or manipulate data.

Another vulnerability involves plaintext storage of a password, which means that an attacker with physical access to the hosts “can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed application and impersonate arbitrary users. An attacker could manipulate RabbitMQ queues and messages by impersonating users,” the advisory stated.

Other vulnerabilities include use of a broken or risky cryptographic algorithm plaintext storage of a password, exposure of information through directory listing, use of hard-coded credentials, improper neutralization of input during web page generation, and files or directories accessible to external parties.

Fresenius Kabi created new iterations to address these vulnerabilities and identified that around 1,200 early Link+ devices would need hardware changes in order to mitigate risk.

CISA recommended that users minimize network exposure for all control system devices, locate and isolate control system networks, and use VPNs when remote access is required. CISA also suggested that organizations perform impact analysis and risk assessments prior to deploying any defensive measures.

Earlier in the year, McAfee researchers warned healthcare organizations of vulnerabilities in two types of B. Braun infusion pumps that could allow hackers to deliver double doses of medications remotely, posing serious risks to patient safety.

While no incidents like this have been reported, the vulnerabilities point to gaps in medical device security that must be addressed.

Threat sharing and collaboration are key to maintaining medical device security and mitigating risk while focusing on providing quality patient care.

“When the industry bands together, you can learn about strategies that some of the institutions that are better funded have achieved,” Elizabeth Butwin Mann, Americas Life Sciences and Health Cybersecurity Leader at EY, previously told HealthITSecurity.

“At the end of the day, there's competition and commercial concerns, but the reality is that patient safety is at the center of it.”