<p>You are about to enter the B. Braun Melsungen AG (global) website. If you are from United States, visit the U. S. Website</p>

United States - B. Braun Medical Inc.

Global - B. Braun Melsungen AG

<p>Not all products are registered and approved for sale in all countries or regions. Indications of use may also vary by country and region. Please contact your country representative for product availability and information. Product images are for reference only.</p>

You have successfully logged out.

Monday, October 26, 2020

10/2020 SpaceCom, Battery Pack SP with WiFi, Data module compactplus - multiple vulnerabilities

B. Braun ensures high security standards throughout the product life cycle by using globally accepted standard test and verification methods. We have established processes to monitor the latest vulnerabilities, threats, or risks and will proactively implement measures as required.

1 Executive Summary

CVSS v3 7.6

ATTENTION: Exploitable remotely/low and high skill level to exploit. Patient safety not affected!

Vendor: B. Braun Melsungen AG

Equipment: SpaceCom, Battery Pack SP with WiFi, Data module compactplus

Vulnerabilities: Cross-site Scripting, Open Redirect, XPath Injection, Session Fixation, Use of a One-Way Hash without a Salt, Improper Verification of Cryptographic Signature, Improper Privilege Management, Use of Hard-coded Credentials, Active Debug Code, Improper Access Control

2 Risk Evaluation

Successful exploitation of these vulnerabilities could allow an attacker to compromise the security of the Space or compactplus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.

B. Braun has received no reports of exploitation or incidents associated with these vulnerabilities.

Note that all listed vulnerabilities are in the communication devices that are separated in hardware and software from the infusion pumps. Safety of patients or users is not affected by the exploitation of these vulnerabilities. However, it may be possible to damage pumps that are in standby mode such that they do not return to operation without service intervention.

3 Technical Details

3.1 Affected Products

The following versions of B. Braun products are affected:

SpaceCom, software versions U61 and earlier (United States), L81 and earlier (rest of world)

Battery pack with WiFi, software versions U61 and earlier (United States), L81 and earlier (rest of world)

Data module compactplus, software versions A10 and A11 (not distributed in the United States)

Other devices of B. Braun are not affected.

3.2 Vulnerability Overview

3.2.1 Cross-site Scripting (Improper Neutralization of Input During Web Page Generation) (CWE-79)

A reflected cross-site scripting (XSS) vulnerability in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into the administrative web interface.

CVE-2020-25158 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L).

3.2.2 URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)

An open redirect vulnerability in the administrative interface of the B. Braun SpaceCom device version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers to redirect users to malicious websites.

CVE-2020-25154 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

3.2.3 Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)(CWE-643)

A XPath Injection vulnerability in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.

CVE-2020-25162 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4 Session Fixation (CWE-384)

A session fixation vulnerability in the B. Braun SpaceCom administrative interface version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges.

CVE-2020-25152 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.5 Use of a One-way Hash without a Salt (CWE-759)

A vulnerability in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers to recover user credentials of the administrative interface.

CVE-2020-25164 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.6 Relative Path Traversal (CWE-23)

A relative path traversal attack in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file, an attacker can execute arbitrary commands.

CVE-2020-25150 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

3.2.7 Improper Verification of Cryptographic Signature (CWE-347)

An improper verification of the cryptographic signature of firmware updates of the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices.

CVE-2020-25166 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H).

3.2.8 Improper Privilege Management (CWE-269)

A vulnerability in the configuration import mechanism of the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 allows an attacker with command line access to the underlying Linux system to escalate privileges to the root user.

CVE-2020-16238 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.9 Use of Hard-Coded Credentials (CWE-798)

Hard-coded credentials in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 enables attackers with command line access to access the devices WiFi module.

CVE-2020-25168 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.10 Active Debug Code (CWE-489)

Active debug code in the B. Braun SpaceCom version L81/U61 and the Data module compactplus versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root.

CVE-2020-25156 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.11 Improper Access Control (CWE-284)

Improper access controls in the B. Braun SpaceCom version L81/U61 and earlier and the Data module compactplus versions A10 and A11 enables attackers to extract and tamper with the devices network configuration.

CVE-2020-25160 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).

3.3 Background

Critical Infrastructure Sectors: Healthcare and Public Health

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany

3.4 Researcher

Julian Suleder (ERNW Research GmbH), Nils Emmerich (ERNW Research GmbH), Birk Kauer (ERNW Research GmbH), Dr. Oliver Matula (ERNW Enno Rey Netzwerke GmbH) reported these vulnerabilities to B. Braun via the German Federal Office for Information Security (BSI) in the context of the BSI project ManiMed (Manipulation of medical devices).

4 Mitigations

B. Braun recommends applying updates:

SpaceCom: version U62 or later (United States), L82 or later (rest of world)

Battery Pack SP with WiFi: version U62 or later (United States), L82 or later (rest of world)

Data module compactplus: version A12 or later

As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:

Ensure the devices are not accessible directly from the internet!

Use a firewall and isolate the medical devices from the business network.

The B. Braun advisory is available at bbraun.com/productsecurity. Please contact your local B. Braun organization to request further help.

This advisory was created in cooperation with authorities and organizations and will also be published through the CISA as (ICSMA-20-296-02) at https://us-cert.cisa.gov/ics/advisories/icsma-20-296-02.

B. Braun has released software updates to mitigate the reported vulnerabilities:

Update A:

Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower)
Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher)
SpaceStation with SpaceCom 2 software Version 012U000093

5 Contact information

If you have any additional information regarding the security of our products, please contact your local B. Braun representative or directly productsecurity@bbraun.com.

If you are a B. Braun customer and need support in mitigating the above mentioned vulnerabilities, contact your local B. Braun representative.

Take part in our customer survey

Your feedback matters! Participate in our customer survey to help us enhance our website, products and services. Thank you for your support!

Start survey