ICSMA-20-296-02 · Published 2020-10-22 · View on CISA ICS-CERT ↗

B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus

CVSS 7.6 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to compromise the security of the Space or compactplus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.

CVEs (11)

CVE-2020-25158 CVE-2020-25154 CVE-2020-25162 CVE-2020-25152 CVE-2020-25164 CVE-2020-25150 CVE-2020-25166 CVE-2020-16238 CVE-2020-25168 CVE-2020-25156 CVE-2020-25160

Remediations

B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using “U” versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non “U” versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing [email protected].
B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun's Vulnerability Advisory.
All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.
Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).

Affected Vendors

B. Braun Medical

Affected Products (3)

B. Braun Medical · SpaceCom <= U61 |<= L81

B. Braun Medical · Battery pack with Wi-Fi <= U61 |<= L81

B. Braun Medical · Data module compactplus A10 | A11

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more