You have successfully logged out.
Wednesday, February 24, 2021
B. Braun ensures high security standards throughout the product life cycle by using globally accepted standard test and verification methods. We have established processes to monitor the latest vulnerabilities, threats, or risks and will proactively implement measures as required.
Vulnerabilities were found in a 3rd-party software delivered with the OnlineSuite. Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter.
Note that all listed vulnerabilities are in the server-side software that is separated from the infusion pumps and affects only the 3rd party software. Safety of patients or users is not affected by these vulnerabilities.
The following versions of B. Braun products are affected:
Multiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
CVE-2020-14513: CodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields. Can lead to Denial of Service of the OnlineSuite.
CVE-2020-14515: There is an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files.
CVE-2020-14519: This vulnerability allows an attacker to use the internal WebSockets API via a specifically crafted Java Script payload, which may allow alteration or creation of license files when combined with CVE-2020-14515.
CVE-2020-14517: Protocol encryption can be easily broken, and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.
CVE-2020-16233: An attacker could send a specially crafted packet that could have the server send back packets containing data from the heap
ICSA-20-203-01, including CVE-2020-14509, CVE-2020-14517, CVE-2020-14519, CVE-2020-14513, CVE-2020-14515, CVE-2020-16233 was published on this matter. The maximum CVSS v3 base score is 9.8, the CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
B. Braun recommends applying updates:
As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:
Further information concerning the issues can be found at https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01
The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help.
If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly email@example.com.
If you are a B. Braun customer and need support in mitigating the abovementioned vulnerabilities, contact your local B. Braun representative.