Lucene search

IcscertCVE-2021-23207

HistoryJan 21, 2022 - 7:15 p.m.

CVE-2021-23207

2022-01-2119:15:08

CWE-256

CWE-522

icscert

web.nvd.nist.gov

cve-2021-23207

security

secrets extraction

jwt tokens

impersonation

rabbitmq

fresenius kabi vigilant mastermed

vulnerability

nvd

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

10.4%

JSON

An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users. An attacker could manipulate RabbitMQ queues and messages by impersonating users.

Affected configurations

Nvd

Node

fresenius-kabiagilia_connectRange≤d25

AND

fresenius-kabiagilia_connectMatch-

Node

fresenius-kabiagilia_partner_maintenance_softwareRange≤3.3.0

fresenius-kabivigilant_centeriumMatch1.0

fresenius-kabivigilant_insightMatch1.0

fresenius-kabivigilant_mastermedMatch1.0

Node

fresenius-kabilink\+_agilia_firmwareRange<3.0

fresenius-kabilink\+_agilia_firmwareMatch3.0-

fresenius-kabilink\+_agilia_firmwareMatch3.0d15

AND

fresenius-kabilink\+_agiliaMatch-

VendorProductVersionCPE
fresenius-kabiagilia_connect*cpe:2.3:o:fresenius-kabi:agilia_connect:*:*:*:*:*:*:*:*
fresenius-kabiagilia_connect-cpe:2.3:h:fresenius-kabi:agilia_connect:-:*:*:*:*:*:*:*
fresenius-kabiagilia_partner_maintenance_software*cpe:2.3:a:fresenius-kabi:agilia_partner_maintenance_software:*:*:*:*:*:*:*:*
fresenius-kabivigilant_centerium1.0cpe:2.3:a:fresenius-kabi:vigilant_centerium:1.0:*:*:*:*:*:*:*
fresenius-kabivigilant_insight1.0cpe:2.3:a:fresenius-kabi:vigilant_insight:1.0:*:*:*:*:*:*:*
fresenius-kabivigilant_mastermed1.0cpe:2.3:a:fresenius-kabi:vigilant_mastermed:1.0:*:*:*:*:*:*:*
fresenius-kabilink\+_agilia_firmware*cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:*:*:*:*:*:*:*:*
fresenius-kabilink\+_agilia_firmware3.0cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:-:*:*:*:*:*:*
fresenius-kabilink\+_agilia_firmware3.0cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:d15:*:*:*:*:*:*
fresenius-kabilink\+_agilia-cpe:2.3:h:fresenius-kabi:link\+_agilia:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fresenius-kabi	agilia_connect	*	cpe:2.3:o:fresenius-kabi:agilia_connect::::::::
fresenius-kabi	agilia_connect	-	cpe:2.3:h:fresenius-kabi:agilia_connect:-:::::::*
fresenius-kabi	agilia_partner_maintenance_software	*	cpe:2.3:a:fresenius-kabi:agilia_partner_maintenance_software::::::::
fresenius-kabi	vigilant_centerium	1.0	cpe:2.3:a:fresenius-kabi:vigilant_centerium:1.0:::::::*
fresenius-kabi	vigilant_insight	1.0	cpe:2.3:a:fresenius-kabi:vigilant_insight:1.0:::::::*
fresenius-kabi	vigilant_mastermed	1.0	cpe:2.3:a:fresenius-kabi:vigilant_mastermed:1.0:::::::*
fresenius-kabi	link\+_agilia_firmware	*	cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware::::::::
fresenius-kabi	link\+_agilia_firmware	3.0	cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:-::::::
fresenius-kabi	link\+_agilia_firmware	3.0	cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:d15::::::
fresenius-kabi	link\+_agilia	-	cpe:2.3:h:fresenius-kabi:link\+_agilia:-:::::::*

CNA Affected

[
  {
    "product": "Vigilant Software Suite (Mastermed Dashboard)",
    "vendor": "Fresenius Kabi",
    "versions": [
      {
        "lessThan": "2.0.1.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Agilia Partner",
    "vendor": "Fresenius Kabi",
    "versions": [
      {
        "lessThan": "3.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsma-21-355-01

Social References

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

10.4%

JSON

Related for CVE-2021-23207