CVE-2020-25168 : Security Advisory and Response
Learn about CVE-2020-25168 involving hard-coded credentials in B. Braun Melsungen AG's SpaceCom, Battery Pack with Wi-Fi, and Data module compactplus, potentially enabling unauthorized access to the device's Wi-Fi module. Find mitigation steps and recommended updates.
This CVE involves hard-coded credentials in B. Braun Melsungen AG's SpaceCom, Battery Pack with Wi-Fi, and Data module compactplus, potentially enabling unauthorized access to the device's Wi-Fi module.
Understanding CVE-2020-25168
This vulnerability was reported by Julian Suleder, Nils Emmerich, Birk Kauer, and Dr. Oliver Matula to the Federal Office for Information Security (BSI), Germany.
What is CVE-2020-25168?
CVE-2020-25168 refers to hard-coded credentials present in specific versions of B. Braun Melsungen AG's medical devices, allowing attackers with command line access to exploit the device's Wi-Fi module.
The Impact of CVE-2020-25168
The vulnerability has a CVSS base score of 3.3, indicating a low severity issue with low confidentiality impact and no integrity impact.
Technical Details of CVE-2020-25168
This section provides more in-depth technical information about the vulnerability.
Vulnerability Description
The presence of hard-coded credentials in affected versions of B. Braun Melsungen AG's devices facilitates unauthorized access to the Wi-Fi module.
Affected Systems and Versions
- SpaceCom: Versions L81/U61 and earlier
- Battery Pack with Wi-Fi: Versions L81/U61 and earlier
- Data module compactplus: Versions A10 and A11
Exploitation Mechanism
Attackers with command line access can exploit the hard-coded credentials to gain unauthorized access to the device's Wi-Fi module.
Mitigation and Prevention
It is crucial to take immediate steps to address and prevent the exploitation of this vulnerability.
Immediate Steps to Take
- Apply the recommended updates provided by B. Braun Melsungen AG for each affected product.
- Protect the network by ensuring devices are not directly accessible from the Internet and using firewalls to isolate medical devices.
Long-Term Security Practices
- Regularly update and patch all medical devices to prevent security vulnerabilities.
Patching and Updates
B. Braun recommends updating the affected products to the following versions:
- SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)
- Battery Pack with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)
- Data module compactplus: Version A12 or later
For further assistance, contact your local B. Braun organization.