FDA, CISA Warn of Fresenius Kabi Infusion Pump Flaws

A Dozen Vulnerabilities Identified in Components of Agilia Connect Infusion System
FDA, CISA Warn of Fresenius Kabi Infusion Pump Flaws
U.S. authorities are warning healthcare entities of security flaws in certain Fresenius Kabi Agilia Connect Infusion Systems.

U.S. government authorities have issued an advisory warning about remotely exploitable security vulnerabilities in certain Fresenius Kabi infusion pump systems that could allow an attacker to gain access to sensitive information, modify settings, or perform arbitrary actions as an authenticated user.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

The Food and Drug Administration on Wednesday issued an alert advising that the Cybersecurity and Infrastructure Security Agency is warning that a dozen vulnerabilities identified in certain components of Germany-based medical device manufacturer Fresenius Kabi's Agilia Connect Infusion System pose a variety of security risks.

"Successful remote exploitation of these vulnerabilities could allow an attacker to gain access to sensitive information, modify settings, or perform arbitrary actions as an unauthorized user," CISA says in its advisory.

The vulnerabilities, which have a low attack complexity, were identified by independent researchers who initially reported the flaws to the German Federal Office for Information Security, CISA notes.

The affected product components of the Agilia Connect Infusion System include:

  • Agilia Connect WiFi module of the pumps vD25 and prior;
  • Agilia Link+ v3.0 D15 and prior;
  • Vigilant Software Suite v1.0, including Vigilant Centerium, Vigilant MasterMed and Vigilant Insight;
  • Agilia Partner maintenance software v3.3.0 and prior.

CISA's alert notes that the affected products are used worldwide. A Fresenius Kabi spokesman tells Information Security Media Group that the Agilia Connect is not currently sold in the U.S. but Fresenius Kabi plans to seek FDA approval for it in the future.

Vulnerability Details

CISA says the vulnerabilities include:

  • Uncontrolled resource consumption;
  • Use of a broken or risky cryptographic algorithm;
  • Insufficiently protected credentials:
  • Improper access control;
  • Plain text storage of a password;
  • Files or directories accessible to external parties;
  • Exposure of information through directory listing;
  • Cross-site scripting;
  • Injection;
  • Use of hard-coded credentials;
  • Use of client-side authentication;
  • Use of unmaintained third-party components.

Collectively, the vulnerabilities are assigned a CVSS v3 base score of 7.5, CISA says.

Mitigation Actions

Fresenius Kabi in its statement to ISMG says the company communicated with customers in April 2021 regarding the vulnerabilities and "these issues have been identified and solved through software upgrades."

Fresenius Kabi also identified approximatively 1,200 Link+ infusion pump devices that would need hardware changes, the FDA says, and until replacements can be made in customers’ installations, the company recommends that users rely on CISA’s recommendations for temporary alternatives.

CISA recommends users of the affected products to take several mitigation steps. They include:

  • Minimizing network exposure for all control system devices and/or systems;
  • Ensuring they are not accessible from the internet;
  • Locating control system networks and remote devices behind firewalls;
  • Isolating them from the business network.

Also, when remote access is required, CISA recommends entities use secure methods, such as virtual private networks, and recognize that "VPNs may have vulnerabilities and should be updated to the most current version available."

Finally, CISA recommends organizations perform proper impact analysis and risk assessment prior to deploying defensive measures.

Healthcare delivery organizations are advised to follow these recommendations "to avoid cybersecurity risks that could affect the safety and essential performance of the Fresenius Kabi Agilia Connect Infusion System," the FDA says.

Fresenius Kabi in its statement to ISMG says the company communicated with customers in April 2021 regarding the vulnerabilities and "these issues have been identified and solved through software upgrades."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.