1 Executive Summary
- CVSS v3: 9.8
- ATTENTION: Exploitable remotely via the internal network, high skill level needed to exploit, Patient safety is not affected
- Vendor: B. Braun Melsungen AG
- Equipment: OnlineSuite
- Vulnerabilities: Buffer Access with Incorrect Length Value, Improper Input Validation, Improper Verification of Cryptographic Signature, Origin Validation Error, Inadequate Encryption Strength, Improper Resource Shutdown or Release
2 Risk Evaluation
Vulnerabilities were found in a 3rd-party software delivered with the OnlineSuite. Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter.
Note that all listed vulnerabilities are in the server-side software that is separated from the infusion pumps and affects only the 3rd party software. Safety of patients or users is not affected by these vulnerabilities.
3 Technical Details
3.1 Affected Products
The following versions of B. Braun products are affected:
- OnlineSuite AP 2.1.2, 3.0
3.2 Vulnerability Overview
3.2.1 Buffer Access with Incorrect Length Value (CVE-2020-14509)
Multiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
3.2.2 Improper Input Validation (CVE-2020-14513)
CVE-2020-14513: CodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields. Can lead to Denial of Service of the OnlineSuite.
3.2.3 Improper Verification of Cryptographic Signature (CVE-2020-14515)
CVE-2020-14515: There is an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files.
3.2.4 Origin Validation Error (CVE-2020-14519)
CVE-2020-14519: This vulnerability allows an attacker to use the internal WebSockets API via a specifically crafted Java Script payload, which may allow alteration or creation of license files when combined with CVE-2020-14515.
3.2.5 Inadequate Encryption Strength (CVE-2020-14517)
CVE-2020-14517: Protocol encryption can be easily broken, and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.
3.2.6 Improper Resource Shutdown or Release (CVE-2020-16233)
CVE-2020-16233: An attacker could send a specially crafted packet that could have the server send back packets containing data from the heap
ICSA-20-203-01, including CVE-2020-14509, CVE-2020-14517, CVE-2020-14519, CVE-2020-14513, CVE-2020-14515, CVE-2020-16233 was published on this matter. The maximum CVSS v3 base score is 9.8, the CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- Critical Infrastructure Sectors: Healthcare and Public Health
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
B. Braun recommends applying updates:
- OnlineSuite Field Service Information AIS01/21
As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:
- Ensure the medical devices are not accessible directly from the internet!
- Use a firewall and isolate the medical devices from the business network.
Further information concerning the issues can be found at https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01
The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help.
5 Contact Information
If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly firstname.lastname@example.org.
If you are a B. Braun customer and need support in mitigating the abovementioned vulnerabilities, contact your local B. Braun representative.