CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
79.6%
This updated advisory is a follow-up to the original advisory titled βICSMA-21-294-01 B. Braun Infusomat Space Large Volume Pumpβ that was published October 21, 2021, on the ICS webpage on cisa.gov/ICS.
Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to gain user-level command-line access, send the device malicious data to be used in place of correct data, reconfigure the device from an unknown source, obtain sensitive information, or overwrite critical files.
B. Braun reports these vulnerabilities affect the following products in the following areas:
Within the United States and Canada:
Outside the United States and Canada:
An improper sanitization of input vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements. The attacker is required to be on the same network as the device.
CVE-2021-33886 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
An insufficient verification of data authenticity vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to send the device malicious data to be used in place of the correct data. This results in full system command access and execution because of the lack of cryptographic signatures on critical data sets.
CVE-2021-33885 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
A missing authentication for critical function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of the lack of authentication on proprietary networking commands.
CVE-2021-33882 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).
A cleartext transmission of sensitive information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by obtaining access to network traffic. The exposed data includes critical values for a pumpβs internal configuration.
CVE-2021-33883 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
An unrestricted upload of file with dangerous type vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of the device through the webpage API, which can result in critical files being overwritten.
CVE-2021-33884 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
Douglas McKee and Philippe Laulheret of McAfee reported these vulnerabilities to B. Braun.
--------- Begin Update A part 1 of 1 ---------
B. Braun has released software updates to mitigate the reported vulnerabilities:
Within the United States and Canada:
For details on acquiring this software, see the B. Braun Advisory.
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing [email protected].
Note: Facilities in Canada using βUβ versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non βUβ versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
Outside the United States and Canada:
For more information, see the B. Braunβs Vulnerability Advisory.
--------- End Update A part 1 of 1 ---------
In addition, B. Braun recommends users of the affected products consider the following best practices:
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33882
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33883
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33884
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33885
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33886
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-294-01
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/306.html
cwe.mitre.org/data/definitions/319.html
cwe.mitre.org/data/definitions/345.html
cwe.mitre.org/data/definitions/434.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=B.%20Braun%20Infusomat%20Space%20Large%20Volume%20Pump%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-294-01
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01
us-cert.cisa.gov/ics/recommended-practices
us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html
www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-294-01&title=B.%20Braun%20Infusomat%20Space%20Large%20Volume%20Pump%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-294-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=B.%20Braun%20Infusomat%20Space%20Large%20Volume%20Pump%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-21-294-01
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
79.6%