ICSMA-21-294-01 · Published 2021-10-21 · View on CISA ICS-CERT ↗

B. Braun Infusomat Space Large Volume Pump

CVSS 9.0 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to gain user-level command-line access, send the device malicious data to be used in place of correct data, reconfigure the device from an unknown source, obtain sensitive information, or overwrite critical files.

CVEs (5)

CVE-2021-33886 CVE-2021-33885 CVE-2021-33882 CVE-2021-33883 CVE-2021-33884

Remediations

B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using “U” versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non “U” versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing [email protected].
B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun's Vulnerability Advisory.
All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.
Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).

Affected Vendors

B. Braun Medical

Affected Products (5)

B. Braun Medical · Battery Pack SP with Wi-Fi <= L81

B. Braun Medical · Data module compactPlus A10 < A11

B. Braun Medical · SpaceStation with SpaceCom 2 <= L81

B. Braun Medical · SpaceStation with SpaceCom 2 <= 012U000061

B. Braun Medical · Battery pack SP with WiFi <= 028U000061

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more