CVE-2022-45611
📋 TL;DR
CVE-2022-45611 is an authentication bypass vulnerability in Fresenius Kabi PharmaHelp 5.1.759.0 that allows attackers to capture user login credentials and gain escalated privileges. This affects healthcare organizations using this specific version of the PharmaHelp compounding software. Attackers could potentially access sensitive medical systems and data.
💻 Affected Systems
- Fresenius Kabi PharmaHelp Compounder
📦 What is this software?
Pharmahelp Firmware by Fresenius Kabi
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of medical compounding systems leading to medication errors, patient safety risks, and unauthorized access to protected health information (PHI).
Likely Case
Unauthorized access to the PharmaHelp system allowing manipulation of medication compounding data and theft of sensitive information.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring in place.
🎯 Exploit Status
Exploitation requires capturing user login information, suggesting credential theft or interception techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version provided by Fresenius Kabi (specific version not publicly documented)
Vendor Advisory: https://www.fresenius.com/sites/default/files/2023-11/Fresenius%20-%20CVE-2022-45611.pdf
Restart Required: Yes
Instructions:
1. Contact Fresenius Kabi support for the security update. 2. Apply the provided patch following vendor instructions. 3. Restart the PharmaHelp application and verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PharmaHelp systems from general network access and restrict to necessary pharmacy systems only.
Enhanced Authentication Controls
allImplement multi-factor authentication and monitor for unusual login patterns.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access PharmaHelp systems
- Enable detailed logging and monitoring of all authentication attempts and user activities
🔍 How to Verify
Check if Vulnerable:
Check PharmaHelp version in application settings or About dialog - if version is 5.1.759.0, system is vulnerable.Check Version:
Check within PharmaHelp application interface under Help > About or similar menuVerify Fix Applied:
Verify version has been updated from 5.1.759.0 and confirm with Fresenius Kabi that the patch has been applied.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from unusual locations
- User accounts accessing systems at unusual times
- Authentication logs showing credential capture patterns
Network Indicators:
- Unusual network traffic to/from PharmaHelp systems
- Credential harvesting attempts on network segments containing PharmaHelp
SIEM Query:
source="pharmahelp" AND (event_type="authentication" AND (result="failure" count>5 within 5min) OR (user_location changed suddenly))🔗 References
- https://www.fresenius-kabi.com/de-at/produkte/pharmahelp-compounder
- https://www.fresenius.com/sites/default/files/2023-11/Fresenius%20-%20CVE-2022-45611.pdf
- https://www.fresenius.com/sites/default/files/2023-12/Fresenius%20-%20CVE-2022-45611.pdf
- https://www.fresenius-kabi.com/de-at/produkte/pharmahelp-compounder
- https://www.fresenius.com/sites/default/files/2023-11/Fresenius%20-%20CVE-2022-45611.pdf
- https://www.fresenius.com/sites/default/files/2023-12/Fresenius%20-%20CVE-2022-45611.pdf
