1 Executive Summary
CVSS v3 8.6
ATTENTION: Exploitable remotely/low and high skill level to exploit. Patient safety is not affected!
Vendor: B. Braun Melsungen AG
Vulnerabilities: Relative Path Traversal, Uncontrolled Search Path Element, Improper Neutralization of Formula Elements in a CSV File.
2 Risk Evaluation
Successful exploitation of these vulnerabilities may allow an attacker to escalate privileges, download and upload arbitrary files, and perform remote code execution. B. Braun has received no reports of exploitation or incidents associated with these vulnerabilities.
Note that all listed vulnerabilities are in the server-side software that is separated from the infusion pumps! Safety of patients or users is not affected by these vulnerabilities.
3 Technical Details
3.1 Affected Products
The following versions of B. Braun products are affected:
OnlineSuite AP 3.0 and earlier
3.2 Vulnerability Overview
3.2.1 Relative Path Traversal (CWE-23)
A relative path traversal attack in the B. Braun OnlineSuite version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files.
CVE-2020-25172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).
3.2.2 Uncontrolled Search Path Element (CWE-427)
A DLL hijacking vulnerability in the B. Braun OnlineSuite version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user.
CVE-2020-25174 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.3 Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
An Excel Macro Injection vulnerability exists in the export feature in the B. Braun Melsungen AG OnlineSuite version AP 3.0 and earlier via multiple operator-controlled input fields that are mishandled in an Excel export.
CVE-2020-25170 has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N).
Critical Infrastructure Sectors: Healthcare and Public Health
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Germany
Julian Suleder (ERNW Research GmbH), Nils Emmerich (ERNW Research GmbH), Birk Kauer (ERNW Research GmbH), and Dr. Oliver Matula (ERNW Enno Rey Netzwerke GmbH) reported these vulnerabilities to B. Braun via the German Federal Office for Information Security (BSI).
B. Braun recommends applying updates:
OnlineSuite Field Service Information AIS06/20
As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:
Ensure the medical devices are not accessible directly from the internet!
Use a firewall and isolate the medical devices from the business network.
The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help.
This advisory was created in cooperation with authorities and organizations and will also be published through the CISA as ICSMA-20-296-01.
5 Contact information
If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly firstname.lastname@example.org
If you are a B. Braun customer and need support in mitigating the abovementioned vulnerabilities, contact your local B. Braun representative