Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Scope

This blog post details the security assessment of the Space infusion and syringe system from the German manufacturer B. Braun Melsungen AG (hereafter referred to as B. Braun).
The B. Braun therapy system comprises different infusion and syringe pumps grouped into docks with a communication module called SpaceCom. A central management software called OnlineSuite allows monitoring pumps and configuring drug libraries.

The inspected components were the SpaceCom communication module, two Infusomat Space infusion pumps and two Perfusor Space syringe pumps, and the central management software called Online Suite with a full feature set license.

The B. Braun Melsungen Space system comprised a SpaceStation including a SpaceCom communication module, one Infosomat Space infusion pump, and three Perfusor Space syringe pumps.
The B. Braun Melsungen Space system comprised a SpaceStation including a SpaceCom communication module, one Infosomat Space infusion pump, and three Perfusor Space syringe pumps. [1, p. 51]

Results

Issues with the OnlineSuite application’s file upload and file download functionalities were identified during the security assessment. These vulnerabilities allow unauthenticated attackers to upload and download arbitrary files from and to the OnlineSuite server (CVE-2020-25172). This vulnerability can be exploited to either cause a Denial of Service (DoS) of the web application or to execute arbitrary code on the server (CVE-2020-25174) via DLL hijacking.

Multiple issues concerning the session management and authentication were identified in the SpaceCom’s administrative web interface. The application is vulnerable to a session fixation attack (CVE-2020-2515) that allows an attacker to forge controlled session tokens for users.

Multiple injection vectors such as Cross-Site Scripting (XSS) (CVE-2020-25158) and unvalidated redirects and forwards (CVE-2020-25154) were identified in the web application. Furthermore, the login page is vulnerable to XPath injections (CVE-2020-25162) that enable attackers to extract usernames and password hashes which are improperly hashed (CVE-2020-25164). An authenticated arbitrary file upload vulnerability (CVE-2020-2515) combined with an unvalidated symbolic link and local privilege escalations (CVE-2020-16238) enables attackers to execute commands as the root user.

Firmware images are protected against modifications with a hash that is included in the image’s header (CVE-2020-25166). An attacker can tamper with firmware images and calculate valid checksums to provide manipulated firmware images.

ICS Medical Advisories (ICSMA-20-296-01, ICSMA-20-296-02) were published on October 22, 2020 [2, 3].

Impact

The vulnerabilities result in a compromise of the Online Suite as well as the SpaceCom. Attackers might be able to prepare attacks to further connected systems such as Electronic Medical Record (EMR) systems. The integrity or operation of the infusion and syringe pumps is not affected. The manufacturer identified no patent risk. Updates were provided for the OnlineSuite as well as the SpaceCom and announced to the customers [4].

References

[1] Bundesamt für Sicherheit in der Informationstechnik (BSI). Veröffentlichungen. Online (accessed January 12, 2021): https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Veroeffentlichungen/cybermed_node.html

[2] ICS Medical Advisory (ICSMA-20-296-01): B. Braun OnlineSuite. October 22, 2020. Online (accessed January 12, 2021): https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01

[3] ICS Medical Advisory (ICSMA-20-296-02): B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus. October 22, 2020. Online (accessed January 12, 2021): https://us-cert.cisa.gov/ics/advisories/icsma-20-296-02

[4] B. Braun Melsungen AG. Security Advisories. Online (accessed January 12, 2021): https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html