B. Braun Vulnerability Disclosure statement    

Product Quick Finder

Choose a category or subcategory

Security Advisory 

B. Braun Product Security Advisories contains of product-specific vulnerability updates and security-related information. Our advisories will list all known vulnerabilities for each product, the status and all recommendation customer actions such as fixes or patches or other mitigation strategies.

Revised advisories are posted regularly with the latest available information.

Manufacturer Disclosure Statement for Medical Device Security

B. Braun supplies our customers with information to help assess and address the vulnerabilities and risks associated with products that maintain or transmit ePHi.

 

 

Security Advisories

Vulnerability Advisory

1       Executive Summary

  • CVSS v3:  9.7
  • ATTENTION: Exploitable remotely/ high skill level to exploit
  • Vendor: B. Braun Melsungen AG
  • Equipment: Perfusor® Space, Infusomat® Space, Infusomat® Space P, SpaceCom, Battery Pack SP with WiFi; Perfusor® compactplus, Infusomat® compactplus, Infusomat® P compactplus, Data module compactplus
  • Vulnerabilities: Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, Cleartext Transmission of Sensitive Information, Unrestricted Upload of File with Dangerous Type

2       Risk Evaluation

Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of the Space or compactplus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.

Under certain conditions, successful exploitation of these vulnerabilities could allow an attacker to change the configuration of a connected infusion pump Perfusor®, Infusomat®, Infusomat® P from both Space and compactplus family which may alter infusions after a successful attack.

These conditions include all of the following: (i) the pumps are connected to a network, (ii) the attacker has access to this network, (iii) the attacker targets the specific device with this specific attack, (iv) the infusion pump is not delivering a therapy (it is “Turned Off” or in “Standby Mode”).

Change of a running therapy is not possible.

B. Braun has received no reports of exploitation or incidents associated with these vulnerabilities in an actual use environment.

3       Technical Details

3.1     Affected Products

The following versions of B. Braun products are affected:

  • SpaceCom, software versions L81 and earlier
  • Battery pack with WiFi, software versions L81 and earlier
  • Data module compactplus, software versions A10 and A11
  • Other devices of B. Braun are not affected.

For devices marketed in the United States (software versions ‘U’), a separate advisory is available.

 

3.2     Vulnerability Overview

Note that the vulnerabilities identified rely on other vulnerabilities within Software versions L81/A11 (and earlier) which have been previously disclosed in October 2020.

3.2.1     CWE-345: Insufficient Verification of Data Authenticity

Insufficient verification of data authority may allow an attacker to upload specific files to the Com devices. Unrecognized files may reset the device to service mode. An upload cannot be done while a therapy is running. Only devices turned off or in standby mode maybe affected.

A CVSS v3.1 score of 9.7 has been calculated, the CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N /S:C/C:H/I:H/A:N/CR:H/IR:H/AR:M/MAV:A.

3.2.2     CWE-306: Missing Authentication for Critical Function: Network commands require no authentication

Missing authentication may allow an attacker to upload specific files to the Com devices. Unrecognized files may reset the device to service mode. An upload cannot be done while a therapy is running. A remote change of infusion rates is not possible. Only devices turned off or in standby mode maybe affected.

A CVSS v3.1 score of 8.2 has been calculated, the CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ S:C/C:N/I:H/A:N/CR:H/IR:H/AR:M/MAV:A.

3.2.3     CWE-319: Cleartext Transmission of Sensitive Information: Network commands are sent in plaintext

Missing encryption may allow an attacker to record data in transmission. An attacker may also send specific network commands to upload files to the Com devices. Unrecognized files may reset the device to service mode. An upload cannot be done while a therapy is running. A remote change of infusion rates is not possible. Only devices turned off or in standby mode maybe affected. These issues do not affect the infusion pump at all.

A CVSS v3.1 score of 7.1 has been calculated, the CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/ S:U/C:N/I:H/A:N/CR:H/IR:H/AR:M/MAV:A

3.2.4     CWE-434: Unrestricted Upload of File with Dangerous Type

By using the vulnerability, an attacker may upload arbitrary files to the system. This may be used to change the communication device behavior including its availability on the network, but not the availability or integrity of the connected pumps.

A CVSS v3.1 score of 5.4 has been calculated, the CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:L/I:L/A:N/CR:M/IR:M/AR:L/MAV:A.

3.3     Background

  • Critical Infrastructure Sectors: Healthcare and Public Health
  • Countries/Areas Deployed: Worldwide (except USA)
  • Company Headquarters Location: Germany

3.4     Researcher

McAfee Advanced Threat Research (ATR)

4       Mitigations

B. Braun recommends:

DEVICE RECOMMENDATIONS

Always use the latest updates:

  • SpaceCom: L82 or later
  • Battery Pack SP with WiFi:L82 or later
  • DataModule compactplus: version A12 or later

NETWORK RECOMMENDATIONS

  • All facilities utilizing SpaceCom, Battery Pack SP with WiFi, and DataModule compactplus should review their IT infrastructure to ensure that a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments which are not accessible directly from the internet or by unauthorized users. 
  • Wireless networks should be implemented using multi-factor authentication and industry standard encryption and should be equipped with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS).

Note: In some instances, standard IT security measures (e.g., blocking of ports) may limit the administrative functions of the product, but will not impact the therapy related functions of the device.  Where it is necessary to reduce security measures to perform an administrative function, such actions should be temporary in nature, and the recommendations identified above reinstituted immediately upon successful completion of the function.

The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help.

5       Contact information

If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly productsecurity@bbraun.com.

If you are a B. Braun customer and need support in mitigating the above-mentioned vulnerabilities, contact your local B. Braun representative.

1      Executive Summary

  • CVSS v3  7.6
  • ATTENTION: Exploitable remotely/low and high skill level to exploit. Patient safety not affected!
  • Vendor: B. Braun Melsungen AG
  • Equipment: SpaceCom, Battery Pack SP with WiFi, Data module compactplus
  • Vulnerabilities: Cross-site Scripting, Open Redirect, XPath Injection, Session Fixation, Use of a One-Way Hash without a Salt, Improper Verification of Cryptographic Signature, Improper Privilege Management, Use of Hard-coded Credentials, Active Debug Code, Improper Access Control

2      Risk Evaluation

Successful exploitation of these vulnerabilities could allow an attacker to compromise the security of the Space or compactplus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution. 

B. Braun has received no reports of exploitation or incidents associated with these vulnerabilities.

Note that all listed vulnerabilities are in the communication devices that are separated in hardware and software from the infusion pumps. Safety of patients or users is not affected by the exploitation of these vulnerabilities. However, it may be possible to damage pumps that are in standby mode such that they do not return to operation without service intervention.

3      Technical Details

3.1    Affected Products

The following versions of B. Braun products are affected:

  • SpaceCom, software versions U61 and earlier (United States), L81 and earlier (rest of world)
  • Battery pack with WiFi, software versions U61 and earlier (United States), L81 and earlier (rest of world)
  • Data module compactplus, software versions A10 and A11 (not distributed in the United States)

Other devices of B. Braun are not affected.

3.2    Vulnerability Overview

3.2.1 Cross-site Scripting (Improper Neutralization of Input During Web Page Generation) (CWE-79)

A reflected cross-site scripting (XSS) vulnerability in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into the administrative web interface.

CVE-2020-25158 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L).

3.2.2   URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

An open redirect vulnerability in the administrative interface of the B. Braun SpaceCom device version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers to redirect users to malicious websites.

CVE-2020-25154 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

3.2.3     Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)(CWE-643)

A XPath Injection vulnerability in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.

CVE-2020-25162 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4     Session Fixation (CWE-384)

A session fixation vulnerability in the B. Braun SpaceCom administrative interface version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges.

CVE-2020-25152 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.5     Use of a One-way Hash without a Salt (CWE-759)

A vulnerability in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers to recover user credentials of the administrative interface.

CVE-2020-25164 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.6    Relative Path Traversal (CWE-23)

A relative path traversal attack in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file, an attacker can execute arbitrary commands.

CVE-2020-25150 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

3.2.7     Improper Verification of Cryptographic Signature (CWE-347)

An improper verification of the cryptographic signature of firmware updates of the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices.

CVE-2020-25166 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).

3.2.8    Improper Privilege Management (CWE-269)

A vulnerability in the configuration import mechanism of the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows an attacker with command line access to the underlying Linux system to escalate privileges to the root user.

CVE-2020-16238 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.9     Use of Hard-Coded Credentials (CWE-798)

Hard-coded credentials in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 enables attackers with command line access to access the devices WiFi module.

CVE-2020-25168 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.10    Active Debug Code (CWE-489)

Active debug code in the B. Braun SpaceCom version L81/U61 and the Data module compactplus versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root.

CVE-2020-25156 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.11  Improper Access Control (CWE-284)

Improper access controls in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 enables attackers to extract and tamper with the devices network configuration.

CVE-2020-25160 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).

3.3    Background

  • Critical Infrastructure Sectors: Healthcare and Public Health
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Germany

3.4     Researcher

Julian Suleder (ERNW Research GmbH), Nils Emmerich (ERNW Research GmbH), Birk Kauer (ERNW Research GmbH), Dr. Oliver Matula (ERNW Enno Rey Netzwerke GmbH) reported these vulnerabilities to B. Braun via the German Federal Office for Information Security (BSI) in the context of the BSI project ManiMed (Manipulation of medical devices).

4       Mitigations

B. Braun recommends applying updates:

  • SpaceCom: version U62 or later (United States), L82 or later (rest of world)
  • Battery Pack SP with WiFi: version U62 or later (United States), L82 or later (rest of world)
  • Data module compactplus: version A12 or later

As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:

  • Ensure the devices are not accessible directly from the internet!
  • Use a firewall and isolate the medical devices from the business network. 

The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help.

This advisory was created in cooperation with authorities and organizations and will also be published through the CISA as (ICSMA-20-296-02) at https://us-cert.cisa.gov/ics/advisories/icsma-20-296-02.

5       Contact information

If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly productsecurity@bbraun.com.

If you are a B. Braun customer and need support in mitigating the above mentioned vulnerabilities, contact your local B. Braun representative. 

1       Executive Summary

CVSS v3  8.6

ATTENTION: Exploitable remotely/low and high skill level to exploit. Patient safety is not affected!

Vendor: B. Braun Melsungen AG

Equipment: OnlineSuite

Vulnerabilities: Relative Path Traversal, Uncontrolled Search Path Element, Improper Neutralization of Formula Elements in a CSV File.

2       Risk Evaluation

Successful exploitation of these vulnerabilities may allow an attacker to escalate privileges, download and upload arbitrary files, and perform remote code execution. B. Braun has received no reports of exploitation or incidents associated with these vulnerabilities.

Note that all listed vulnerabilities are in the server-side software that is separated from the infusion pumps! Safety of patients or users is not affected by these vulnerabilities.

3       Technical Details

3.1     Affected Products

The following versions of B. Braun products are affected:

OnlineSuite AP 3.0 and earlier

3.2     Vulnerability Overview

3.2.1     Relative Path Traversal (CWE-23)

A relative path traversal attack in the B. Braun OnlineSuite version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files.

CVE-2020-25172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).

3.2.2     Uncontrolled Search Path Element (CWE-427)

A DLL hijacking vulnerability in the B. Braun OnlineSuite version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user.

CVE-2020-25174 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3     Improper Neutralization of Formula Elements in a CSV File (CWE-1236)

An Excel Macro Injection vulnerability exists in the export feature in the B. Braun Melsungen AG OnlineSuite version AP 3.0 and earlier via multiple operator-controlled input fields that are mishandled in an Excel export.

CVE-2020-25170 has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N).

3.3     Background

Critical Infrastructure Sectors: Healthcare and Public Health

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany

3.4     Researcher

Julian Suleder (ERNW Research GmbH), Nils Emmerich (ERNW Research GmbH), Birk Kauer (ERNW Research GmbH), and Dr. Oliver Matula (ERNW Enno Rey Netzwerke GmbH) reported these vulnerabilities to B. Braun via the German Federal Office for Information Security (BSI).

4       Mitigations

B. Braun recommends applying updates:

OnlineSuite Field Service Information AIS06/20

As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:

Ensure the medical devices are not accessible directly from the internet!

Use a firewall and isolate the medical devices from the business network.

The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help. 

This advisory was created in cooperation with authorities and organizations and will also be published through the CISA as ICSMA-20-296-01.

5       Contact information

If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly productsecurity@bbraun.com

If you are a B. Braun customer and need support in mitigating the abovementioned vulnerabilities, contact your local B. Braun representative

B. Braun ensures high security standards throughout the product life cycle by using globally accepted standard test and verification methods. We have established processes to monitor the latest vulnerabilities, threats, or risks and will proactively implement measures as required.   

Vulnerability Summary  

Cybersecurity firm Forescout Research Labs has discovered a new set of 33 major vulnerabilities in Internet of Things (IOT), operational technology (OT) and IT devices impacting four widely used open-source TCP/IP stacks. These vulnerabilities reside in the uIP, FNET, picoTCP and Nut/Net stacks, which serve as foundational connectivity components for millions of IoT, OT, networking and IT devices. Four of these vulnerabilities are critical and allow for remote code execution.  

Analysis & Action  

B. Braun’s first analysis determined that NONE of our connected devices  

  • Infusion system Space®  
  • Infusion system compactplus®
  • Clinical IT Solution OnlineSuite

are affected.  

Recommendations

As our clinical IT solutions are installed on standard Windows Servers, we highly recommend reviewing Microsoft’s recommendations and advises concerning the issue. Our B.Braun security team is also available to support if questions arise.   

References

Website Forescout Labs – Security Researcher AMNESIA:33 - Forescout

Contact & further Information  

You can also contact our global security team if you have any further questions, require detailed technical information, or any other support issue concerning Cybersecurity. You can send an email productsecurity@bbraun.com

Vulnerability Advisory

1       Executive Summary

• CVSS v3:  9.8

• ATTENTION: Exploitable remotely via the internal network, high skill level needed to exploit, Patient safety is not affected

• Vendor: B. Braun Melsungen AG

• Equipment: OnlineSuite

• Vulnerabilities: Buffer Access with Incorrect Length Value, Improper Input Validation, Improper Verification of Cryptographic Signature, Origin Validation Error, Inadequate Encryption Strength, Improper Resource Shutdown or Release

2       Risk Evaluation

Vulnerabilities were found in a 3rd-party software delivered with the OnlineSuite. Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter. 

Note that all listed vulnerabilities are in the server-side software that is separated from the infusion pumps and affects only the 3rd party software. Safety of patients or users is not affected by these vulnerabilities. 

3      Technical Details

3.1 Affected Products

The following versions of B. Braun products are affected:

• OnlineSuite AP 2.1.2, 3.0

3.2 Vulnerability Overview

3.2.1 Buffer Access with Incorrect Length Value    (CVE-2020-14509)

Multiple memory corruption vulnerabilities exist where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.

3.2.2 Improper Input Validation (CVE-2020-14513)

CVE-2020-14513: CodeMeter and the software using it may crash while processing a specifically crafted license file due to unverified length fields. Can lead to Denial of Service of the OnlineSuite.

3.2.3 Improper Verification of Cryptographic Signature (CVE-2020-14515)                

CVE-2020-14515: There is an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files.

3.2.4 Origin Validation Error (CVE-2020-14519)

CVE-2020-14519: This vulnerability allows an attacker to use the internal WebSockets API via a specifically crafted Java Script payload, which may allow alteration or creation of license files when combined with CVE-2020-14515.

3.2.5 Inadequate Encryption Strength (CVE-2020-14517)

CVE-2020-14517: Protocol encryption can be easily broken, and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.

3.2.6 Improper Resource Shutdown or Release (CVE-2020-16233)

CVE-2020-16233: An attacker could send a specially crafted packet that could have the server send back packets containing data from the heap 

 

ICSA-20-203-01, including CVE-2020-14509, CVE-2020-14517, CVE-2020-145159, CVE-2020-14513, CVE-2020-14515, CVE-2020-16233 was published on this matter. The maximum CVSS v3 base score is 9.8, the CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

3.3 Background

• Critical Infrastructure Sectors: Healthcare and Public Health 

• Countries/Areas Deployed: Worldwide 

• Company Headquarters Location: Germany 

3.4 Researcher

N/A

4      Mitigations

B. Braun recommends applying updates:

• OnlineSuite Field Service Information AIS01/21

As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:

• Ensure the medical devices are not accessible directly from the internet!

• Use a firewall and isolate the medical devices from the business network. 

Further information concerning the issues can be found at https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01

The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help. 

5       Contact Information

If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly productsecurity@bbraun.com

If you are a B. Braun customer and need support in mitigating the abovementioned vulnerabilities, contact your local B. Braun representative. 

 

Cybersecurity firm Forescout Research Labs has discovered and disclosed 9 vulnerabilities in several DNS implementations.

These vulnerabilities relate to DNS implementations and can cause Denial of Service or Remote Code Execution, allowing attackers to take targeted IT, IoT or OT devices offline or take control of them. It affects four popular TCP/IP stacks.

Vulnerability Summary 

Cybersecurity firm Forescout Research Labs has discovered a new set of 9 several DNS implementations.

These vulnerabilities relate to DNS implementations and can cause Denial of Service or Remote Code Execution, allowing attackers to take targeted IT, IoT or OT devices offline or take control of them. It affects four popular TCP/IP stacks.

Analysis & Action 

B. Braun’s first analysis determined that NONE of our connected devices 

  • Infusion system SpacePlus®
  • Infusion system Space® 
  • Infusion system compactplus®
  • Clinical IT Solution OnlineSuite

are affected. 

Recommendations

As our clinical IT solutions are installed on standard Windows Servers, we highly recommend reviewing Microsoft’s recommendations and advises concerning the issue. Our B.Braun security team is also available to support if questions arise.  

References

Website Forescout Labs – Security Researcher Name:WRECK – Forescout

Contact Information & further Information 

You can also contact our global security team if you have any further questions, require detailed technical information, or any other support issue concerning Cybersecurity.

You can send an email productsecurity@bbraun.com