Five previously undisclosed security flaws affecting B. Braun’s SpaceStation and Infusomat pump could allow unauthorized users to alter the doses of medication injected intravenously.
The flaws were discovered by McAfee researchers, who reported them to the German medical and pharmaceutical device company on January 11, 2021.
According to McAfee the “modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication.”
The issues have been fixed by B. Braun in SpaceCom L82 or later, Battery Pack SP with WiFi:L82 or later, and DataModule compactplus version A12 or later.
Infusion pumps are medical devices that deliver nutrients and medications to a patient’s body. They are used to deliver these fluids into a patient’s body. The devices run on an embedded Linux system called SpaceCom, which is typically built into the hardware.
The flaws found by McAfee enable an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution. By chaining together them, an attacker could “modify a pump’s configuration while the pump is in standby mode, resulting in an unexpected dose of medication being delivered to a patient on its next use – all with zero authentication,” McAfee Advanced Threat Research team noted in a technical write-up.
They discovered flaws are:
- CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
- CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)
- CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
- CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
- CVE-2021-33884 – Unrestricted Upload of File with Dangerous Type (CVSS 5.8)
Attacks against pumps can only be performed when the devices are in standby mode or are idle. Moreover, a threat actor needs to first gain an initial foothold in the local network or breach it over the internet, in an unlikely scenario when the pumps are directly exposed.
B. Braun advised taking the following measures in an advisory published on May 14, 2021:
“All facilities utilizing SpaceCom, Battery Pack SP with WiFi, and DataModule compactplus should review their IT infrastructure to ensure that a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments which are not accessible directly from the internet or by unauthorized users. Wireless networks should be implemented using multi-factor authentication and industry standard encryption and should be equipped with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS),” the company added.