CVE-2021-33846 Explained : Impact and Mitigation
Discover the details of CVE-2021-33846 affecting Fresenius Kabi's Vigilant Software Suite. Learn about the impact, mitigation steps, and solutions to prevent exploitation.
Fresenius Kabi Agilia Connect Infusion System in Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 is affected by a vulnerability that allows attackers to impersonate users using authentication tokens signed with a symmetric encryption key.
Understanding CVE-2021-33846
This CVE highlights a cryptographic algorithm issue within the Fresenius Kabi Agilia Connect Infusion System.
What is CVE-2021-33846?
The vulnerability in the Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 allows attackers to generate valid JWTs and impersonate users due to authentication token mishandling.
The Impact of CVE-2021-33846
The CVE has a CVSS base score of 5.9, indicating a medium severity issue with high confidentiality and integrity impact. Attack complexity is high, but availability impact is none.
Technical Details of CVE-2021-33846
This section details the vulnerability affecting the Agilia Connect Infusion System.
Vulnerability Description
The issue arises from the system issuing authentication tokens signed with a symmetric encryption key, enabling attackers to create valid JWTs.
Affected Systems and Versions
Fresenius Kabi's Vigilant Software Suite (Mastermed Dashboard) version less than 2.0.1.3 is impacted by this vulnerability.
Exploitation Mechanism
Attackers with the encryption key can exploit the vulnerability to impersonate arbitrary users, posing a significant security risk.
Mitigation and Prevention
Steps to address and prevent exploitation of CVE-2021-33846.
Immediate Steps to Take
Users should follow CISA recommendations, including minimizing network exposure, isolating control system devices, and using secure remote access methods like VPNs.
Long-Term Security Practices
Fresenius Kabi released new versions to address the vulnerabilities. They recommend updating to the latest versions and contacting them for further assistance.
Patching and Updates
New versions such as Link+ v3.0, VSS v1.0.3, Agilia Connect Pumps Wifi Module, and Agilia Connect Partner v3.3.2 address the issue. Early Link+ devices may require hardware changes.