Vulnerabilities Discovered in B. Braun Infusomat Space and Perfusor Space Infusion Pumps

B. Braun has introduced software updates to resolve five vulnerabilities identified in Infusomat Space and Perfusor Space Infusion Pumps. An attacker with low-level skill can exploit the vulnerabilities remotely.

In North America, the vulnerabilities have an effect on Battery pack SP with WiFi (All software Versions 028U000061 including prior versions) that were installed in a Perfusor Space Infusion pump or an Infusomat Space Infusion Pump, and SpaceStation with SpaceCom 2 (all software versions 012U000061 including prior versions). Douglas McKee and Philippe Laulheret of McAfee discovered the vulnerabilities and contacted B. Braun.

The most problematic vulnerability CVE-2021-33885 is a critical defect in B. Braun SpaceCom2 with a CVSS severity score of 9. It is because of inadequate verification of information authenticity. A remote attacker can take advantage of this to transmit malicious information to the device, which could be utilized instead of the right information.

CVE-2021-33886 is an incorrect input validation vulnerability. A remote unauthenticated attacker can acquire user-level command-line access by sending a raw external string directly through to printf statements. But the attacker should be on a similar system as the device, thus the possibilities for exploitation are lower. The CVSS score assigned to this vulnerability is 6.8.

CVE-2021-33882 is a missing authentication for critical function vulnerability. A remote attacker could take advantage of this vulnerability and change the configuration of the device using an unidentified source, because of the insufficient authentication on proprietary networking commands. The CVSS score assigned to this vulnerability is 6.8.

Because of uncontrolled uploads of unsafe file types, a remote attacker could possibly upload a malicious file to the device’s /tmp directory via the website API, which can cause the overwriting of critical files thus impacting device operation. The CVSS severity score of this vulnerability CVE-2021-33884 is 6.5.

The final vulnerability is a data exposure problem that could permit an attacker to acquire critical values for a pump’s internal settings because of the transmission of sensitive data in cleartext. The CVSS severity score of this vulnerability CVE-2021-33883 is 5.9.

Braun has resolved the vulnerability in these software updates:

  1. Battery pack SP with Wi-Fi, software 054U00091 (SN 138853 and higher)
  2. Battery pack SP with Wi-Fi, software 028U00062 (SN 138852 and lower)
  3. SpaceStation with SpaceCom 2 software Versions 012U000083

At this time, there were no reported incidents of exploitation of the vulnerabilities; nevertheless, the updates must be implemented immediately.

B.Braun additionally recommends making sure infusion pumps are located in different environments that are secured by VLANs or firewalls, that authentication steps are set up to avoid unauthorized access, and that it’s not possible to directly access the devices online. In case remote access is needed, safe access methods must be used, like a Virtual Private Network (VPN).