B. Braun OnlineSuite

Plan Patch8.6ICS-CERT ICSMA-20-296-01Oct 22, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

B. Braun OnlineSuite AP versions 3.0 and earlier contain multiple vulnerabilities (CWE-23 path traversal, CWE-427 untrusted search path, CWE-1236 improper neutralization) that allow remote attackers to escalate privileges, download and upload arbitrary files, and execute remote code without authentication. B. Braun has released Field Service Information update AIS06/20 as a remediation, but no fixed version number is specified in the advisory. No public exploits are currently known.

What this means

What could happen

An attacker with network access to OnlineSuite could escalate privileges, upload malicious files, or execute arbitrary code on the system, potentially compromising patient data or disrupting medical device operations.

Who's at risk

Healthcare organizations using B. Braun OnlineSuite AP for medical device management and infusion pump control. This affects any hospital or clinic where OnlineSuite coordinates device communication or stores patient treatment parameters.

How it could be exploited

An attacker on the network sends a crafted request to the OnlineSuite AP server (port not specified but likely HTTP/HTTPS). The lack of authentication requirements and low complexity allow the attacker to bypass access controls, escalate privileges, and either upload executable files or run commands directly on the underlying system.

Prerequisites

Network access to B. Braun OnlineSuite AP server (no authentication required)
OnlineSuite AP version 3.0 or earlier deployed and reachable

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

AP: 3.0 and earlier≤ 3.0No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to OnlineSuite systems using firewall rules; deny all inbound access from untrusted networks and the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact B. Braun to obtain and apply Field Service Information update AIS06/20 or later

Long-term hardening

0/2

HARDENINGIsolate OnlineSuite and all connected medical devices from the business network using a DMZ or separate VLAN

HARDENINGIf remote access to OnlineSuite is required, implement a VPN with current security patches and strong authentication

CVEs (3)

CVE-2020-25172 CVE-2020-25174 CVE-2020-25170

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cc843481-df96-4ef7-ab01-1ecbbdaa2888