Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States.

B.Braun OnlineSuite

Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code.

The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10.

An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9.

The flaws are present in OnlineSuite AP 3.0 and earlier. B.Braun has addressed the flaws in the update, OnlineSuite Field Service Information AIS06/20, which users are advised to apply as soon as possible.

SpaceCom and Battery Pack SP with Wi-Fi

11 vulnerabilities have been identified in SpaceCom, which is used to connect external devices for data documentation in a Patient Data Management System, PC or USB memory stick, and Battery Pack with WiFi.

The flaws affect SpaceCom, software Versions U61 and earlier and Battery pack with Wi-Fi, software Versions U61 and earlier.

If exploited, an attacker could compromise the security of SpaceCom devices and escalate privileges, view sensitive information, upload arbitrary files, and remotely execute arbitrary code.

  • CVE-2020-25158 (CVSS 7.6) – Reflected cross-site scripting (XSS) vulnerability allowing injection of arbitrary web script or HTML into various locations.
  • CVE-2020-25150 (CVSS 7.6) -Relative path traversal attack vulnerability allowing an attacker with service user privileges to upload arbitrary files and execute arbitrary commands.
  • CVE-2020-25162 (CVSS 7.5) – Path injection vulnerability allowing unauthenticated individuals to access sensitive information and escalate privileges.
  • CVE-2020-25156 (CVSS 7.2) – Active debug code that enables attackers in possession of cryptographic material to access the device as root.
  • CVE-2020-25160 (CVSS 6.8) -Improper access controls that allow extraction and tampering with the device’s network configuration.
  • CVE-2020-25166 (CVSS 6.8) -Improper verification of the cryptographic signature of firmware updates, which allows an attacker to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
  • CVE-2020-16238 (CVSS 6.7) – Improper privilege management that gives attackers command line access to the underlying Linux system, and privileges to be escalated to root user.
  • CVE-2020-25152 (CVSS 6.5) -Session fixation vulnerability allowing hijacking of web sessions and escalation of privileges.
  • CVE-2020-25154 (CVSS 5.4) – Open redirect vulnerability allowing redirection to malicious websites.
  • CVE-2020-25164 (CVSS 5.1) – Use of a one-way hash which allows the recovery of user credentials of the administrative interface.
  • CVE-2020-25168 (CVSS 3.3) – Use of hard-coded credentials that would allow command line access to access the device’s Wi-Fi module

Braun has released updates to correct the flaws. Users should update to SpaceCom: Version U62 or later and Battery Pack SP with Wi-Fi: Version U62 or later.

Braun also recommends devices should not be accessible directly from the internet and to use a firewall and isolate medical devices from the business network.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.