Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-33883 (GCVE-0-2021-33883)
Vulnerability from cvelistv5 – Published: 2021-08-25 11:19 – Updated: 2024-08-04 00:05
VLAI?
EPSS
Summary
A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration.
Severity ?
5.9 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:51.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bbraunusa.com/en.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:N/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-25T11:19:53.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bbraunusa.com/en.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33883",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:N/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bbraunusa.com/en.htm",
"refsource": "MISC",
"url": "https://www.bbraunusa.com/en.htm"
},
{
"name": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/",
"refsource": "MISC",
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33883",
"datePublished": "2021-08-25T11:19:53.000Z",
"dateReserved": "2021-06-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:05:51.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-33883",
"date": "2026-04-28",
"epss": "0.00213",
"percentile": "0.43669"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-33883\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-08-25T12:15:16.160\",\"lastModified\":\"2024-11-21T06:09:42.920\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de Transmisi\u00f3n en Texto sin Cifrar de Informaci\u00f3n Confidencial en B. Braun SpaceCom2 versiones anteriores a 012U000062, permite a un atacante remoto conseguir informaci\u00f3n confidencial al espiar el tr\u00e1fico de red. Los datos expuestos incluyen valores cr\u00edticos para la configuraci\u00f3n interna de una bomba.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:bbraun:spacecom2:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"012u000062\",\"matchCriteriaId\":\"C2D8F2AC-5506-405C-857A-EE060C209A89\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:bbraun:infusomat_large_volume_pump_871305u:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6C9420B-B015-4079-8B60-EF9C9C058193\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:bbraun:spacestation_8713142u:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D6B64426-0B44-4B68-A80A-2BB6D04B3F88\"}]}]}],\"references\":[{\"url\":\"https://www.bbraunusa.com/en.htm\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.bbraunusa.com/en.htm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
GSD-2021-33883
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-33883",
"description": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration.",
"id": "GSD-2021-33883"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-33883"
],
"details": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration.",
"id": "GSD-2021-33883",
"modified": "2023-12-13T01:23:18.707772Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33883",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:N/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bbraunusa.com/en.htm",
"refsource": "MISC",
"url": "https://www.bbraunusa.com/en.htm"
},
{
"name": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/",
"refsource": "MISC",
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:bbraun:spacecom2:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "012u000062",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:bbraun:infusomat_large_volume_pump_871305u:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:bbraun:spacestation_8713142u:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33883"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
},
{
"name": "https://www.bbraunusa.com/en.htm",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "https://www.bbraunusa.com/en.htm"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-09-01T16:03Z",
"publishedDate": "2021-08-25T12:15Z"
}
}
}
FKIE_CVE-2021-33883
Vulnerability from fkie_nvd - Published: 2021-08-25 12:15 - Updated: 2024-11-21 06:09
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bbraun | spacecom2 | * | |
| bbraun | infusomat_large_volume_pump_871305u | - | |
| bbraun | spacestation_8713142u | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bbraun:spacecom2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C2D8F2AC-5506-405C-857A-EE060C209A89",
"versionEndExcluding": "012u000062",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bbraun:infusomat_large_volume_pump_871305u:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A6C9420B-B015-4079-8B60-EF9C9C058193",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:bbraun:spacestation_8713142u:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D6B64426-0B44-4B68-A80A-2BB6D04B3F88",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Transmisi\u00f3n en Texto sin Cifrar de Informaci\u00f3n Confidencial en B. Braun SpaceCom2 versiones anteriores a 012U000062, permite a un atacante remoto conseguir informaci\u00f3n confidencial al espiar el tr\u00e1fico de red. Los datos expuestos incluyen valores cr\u00edticos para la configuraci\u00f3n interna de una bomba."
}
],
"id": "CVE-2021-33883",
"lastModified": "2024-11-21T06:09:42.920",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-25T12:15:16.160",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://www.bbraunusa.com/en.htm"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://www.bbraunusa.com/en.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
ICSMA-21-294-01
Vulnerability from csaf_cisa - Published: 2021-10-21 00:00 - Updated: 2021-10-21 00:00Summary
B. Braun Infusomat Space Large Volume Pump
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation: Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to gain user-level command-line access, send the device malicious data to be used in place of correct data, reconfigure the device from an unknown source, obtain sensitive information, or overwrite critical files.
Critical infrastructure sectors: Healthcare and Public Health
Countries/areas deployed: Worldwide
Company headquarters location: Germany
Recommended Practices: CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability: No known public exploits specifically target these vulnerabilities.
6.8 (Medium)
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using “U” versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non “U” versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun's Vulnerability Advisory.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.
Vendor Fix
Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).
9.0 (Critical)
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using “U” versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non “U” versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun's Vulnerability Advisory.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.
Vendor Fix
Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).
6.8 (Medium)
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using “U” versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non “U” versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun's Vulnerability Advisory.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.
Vendor Fix
Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).
5.9 (Medium)
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using “U” versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non “U” versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun's Vulnerability Advisory.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.
Vendor Fix
Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).
6.5 (Medium)
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using “U” versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non “U” versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.
Vendor Fix
B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun's Vulnerability Advisory.
https://www.bbraun.com/en/products-and-solutions/…
Vendor Fix
All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.
Vendor Fix
Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).
References
Acknowledgments
McAfee
Douglas McKee
Philippe Laulheret
{
"document": {
"acknowledgments": [
{
"names": [
"Douglas McKee",
"Philippe Laulheret"
],
"organization": "McAfee",
"summary": "reporting these vulnerabilities to B. Braun"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to gain user-level command-line access, send the device malicious data to be used in place of correct data, reconfigure the device from an unknown source, obtain sensitive information, or overwrite critical files.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Healthcare and Public Health",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSMA-21-294-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsma-21-294-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSMA-21-294-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-294-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "B. Braun Infusomat Space Large Volume Pump",
"tracking": {
"current_release_date": "2021-10-21T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSMA-21-294-01",
"initial_release_date": "2021-10-21T00:00:00.000000Z",
"revision_history": [
{
"date": "2021-10-21T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSMA-21-294-01 B. Braun Infusomat Space Large Volume Pump"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= L81",
"product": {
"name": "Battery Pack SP with Wi-Fi: All software Versions L81 and earlier that have been installed in a Perfusor Space Infusomat Space or Infusomat Space P pump",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Battery Pack SP with Wi-Fi"
},
{
"branches": [
{
"category": "product_version_range",
"name": "A10 \u003c A11",
"product": {
"name": "Data module compactPlus: All software Versions A10 and A11 that have been installed in a Perfusor compactPlus Infusomat compactPlus or Infusomat P compactPlus pump",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "Data module compactPlus"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= L81",
"product": {
"name": "SpaceStation with SpaceCom 2: All software Versions L81 and earlier",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "SpaceStation with SpaceCom 2"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 012U000061",
"product": {
"name": "SpaceStation with SpaceCom 2: All software Versions 012U000061 and earlier",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "SpaceStation with SpaceCom 2"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c= 028U000061",
"product": {
"name": "Battery pack SP with WiFi: All software Versions 028U000061 and earlier which have been installed in an Infusomat Space Infusion Pump or a Perfusor Space Infusion pump",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "Battery pack SP with WiFi"
}
],
"category": "vendor",
"name": "B. Braun Medical"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-33886",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "An improper sanitization of input vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements. The attacker is required to be on the same network as the device. CVE-2021-33886 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33886"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using \u201cU\u201d versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non \u201cU\u201d versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun\u0027s Vulnerability Advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
]
},
{
"cve": "CVE-2021-33885",
"cwe": {
"id": "CWE-345",
"name": "Insufficient Verification of Data Authenticity"
},
"notes": [
{
"category": "summary",
"text": "An insufficient verification of data authenticity vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to send the device malicious data to be used in place of the correct data. This results in full system command access and execution because of the lack of cryptographic signatures on critical data sets. CVE-2021-33885 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33885"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using \u201cU\u201d versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non \u201cU\u201d versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun\u0027s Vulnerability Advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
]
},
{
"cve": "CVE-2021-33882",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "summary",
"text": "A missing authentication for critical function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of the lack of authentication on proprietary networking commands. CVE-2021-33882 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33882"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using \u201cU\u201d versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non \u201cU\u201d versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun\u0027s Vulnerability Advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
]
},
{
"cve": "CVE-2021-33883",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "summary",
"text": "A cleartext transmission of sensitive information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by obtaining access to network traffic. The exposed data includes critical values for a pump\u0027s internal configuration. CVE-2021-33883 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33883"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using \u201cU\u201d versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non \u201cU\u201d versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun\u0027s Vulnerability Advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
]
},
{
"cve": "CVE-2021-33884",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "summary",
"text": "An unrestricted upload of file with dangerous type vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of the device through the webpage API, which can result in critical files being overwritten. CVE-2021-33884 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33884"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Within the United States and Canada: Battery pack SP with Wi-Fi, software 028U00093 (SN 138852 and lower); Battery pack SP with Wi-Fi, software 054U00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software Version 012U000093. For details on acquiring this software, see the B. Braun Advisory. Note: Facilities in Canada using \u201cU\u201d versions of software should follow the U.S. vulnerability disclosure. Facilities in Canada using non \u201cU\u201d versions (e.g. L) should follow the vulnerability disclosure for outside the U.S.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "Users in the United States and Canada who need additional support can contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "B. Braun has released software updates to mitigate the reported vulnerabilities. Outside the United States and Canada: Battery Pack SP with Wi-Fi, software 027L000093 (below SN 138853); Battery pack SP with Wi-Fi, software 053L00093 (SN 138853 and higher); SpaceStation with SpaceCom 2, software version 011L000093. For more information, see the B. Braun\u0027s Vulnerability Advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
],
"url": "https://www.bbraun.com/en/products-and-solutions/temp/b--braun-coordinated-vulnerability-disclosure/security-advisory.html"
},
{
"category": "vendor_fix",
"details": "All facilities utilizing SpaceCom 2, and Battery Pack SP with Wi-Fi should review their IT infrastructure to ensure a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the Internet or by unauthorized users.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
},
{
"category": "vendor_fix",
"details": "Wireless networks should be implemented using industry standard encryption and should be equipped with intrusion detection systems (IDS) and/or intrusion prevention systems (IPS).",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005"
]
}
]
}
]
}
VAR-202108-1770
Vulnerability from variot - Updated: 2024-08-14 13:53A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration. B. Braun SpaceCom2 is a hardware device from B. Braun, Germany, which is used to connect external devices to record data in a patient data management system, PC or USB memory stick. Braun SpaceCom2 versions prior to 012U000062 have a security vulnerability
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202108-1770",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "spacecom2",
"scope": "lt",
"trust": 1.0,
"vendor": "bbraun",
"version": "012u000062"
},
{
"model": "spacecom2",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30d3\u30fc \u30d6\u30e9\u30a6\u30f3\u30a8\u30fc\u30b9\u30af\u30e9\u30c3\u30d7\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "spacecom2",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30d3\u30fc \u30d6\u30e9\u30a6\u30f3\u30a8\u30fc\u30b9\u30af\u30e9\u30c3\u30d7\u682a\u5f0f\u4f1a\u793e",
"version": "012u000062"
},
{
"model": "braun spacecom2 \u003c012u000062",
"scope": null,
"trust": 0.6,
"vendor": "b",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Douglas McKee and Philippe Laulheret of McAfee reported these vulnerabilities to B. Braun.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
}
],
"trust": 0.6
},
"cve": "CVE-2021-33883",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-33883",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-22469",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-33883",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "cve@mitre.org",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.2,
"id": "CVE-2021-33883",
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-33883",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-33883",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "cve@mitre.org",
"id": "CVE-2021-33883",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2021-33883",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-22469",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202108-2339",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2021-33883",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"db": "VULMON",
"id": "CVE-2021-33883"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
},
{
"db": "NVD",
"id": "CVE-2021-33883"
},
{
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration. B. Braun SpaceCom2 is a hardware device from B. Braun, Germany, which is used to connect external devices to record data in a patient data management system, PC or USB memory stick. Braun SpaceCom2 versions prior to 012U000062 have a security vulnerability",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33883"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"db": "VULMON",
"id": "CVE-2021-33883"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33883",
"trust": 3.1
},
{
"db": "ICS CERT",
"id": "ICSMA-21-294-01",
"trust": 1.4
},
{
"db": "JVN",
"id": "JVNVU93193058",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-22469",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3526",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5281",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021102506",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202108-2339",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-33883",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"db": "VULMON",
"id": "CVE-2021-33883"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
},
{
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"id": "VAR-202108-1770",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
}
]
},
"last_update_date": "2024-08-14T13:53:56.164000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.bbraun.com/en.html"
},
{
"title": "Patch for B. Braun SpaceCom2 has an unknown vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/327416"
},
{
"title": "B. Braun SpaceCom2 Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=161278"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-319",
"trust": 1.0
},
{
"problemtype": "Sending important information in clear text (CWE-319) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/"
},
{
"trust": 1.7,
"url": "https://www.bbraunusa.com/en.htm"
},
{
"trust": 1.4,
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-294-01"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu93193058//"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33883"
},
{
"trust": 0.6,
"url": "https://www.bbraunusa.com/en.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5281"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021102506"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3526"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/319.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"db": "VULMON",
"id": "CVE-2021-33883"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
},
{
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"db": "VULMON",
"id": "CVE-2021-33883"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
},
{
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"date": "2021-08-25T00:00:00",
"db": "VULMON",
"id": "CVE-2021-33883"
},
{
"date": "2021-10-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"date": "2021-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202108-2339"
},
{
"date": "2021-08-25T12:15:16.160000",
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-22469"
},
{
"date": "2021-09-01T00:00:00",
"db": "VULMON",
"id": "CVE-2021-33883"
},
{
"date": "2021-10-25T05:28:00",
"db": "JVNDB",
"id": "JVNDB-2021-003361"
},
{
"date": "2022-10-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202108-2339"
},
{
"date": "2021-09-01T16:03:38.857000",
"db": "NVD",
"id": "CVE-2021-33883"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "B.\u00a0Braun\u00a0SpaceCom2\u00a0 Vulnerability in plaintext transmission of important information in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-003361"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202108-2339"
}
],
"trust": 0.6
}
}
CNVD-2022-22469
Vulnerability from cnvd - Published: 2022-03-24
VLAI Severity ?
Title
B. Braun SpaceCom2存在未明漏洞
Description
B. Braun SpaceCom2是德国贝朗(B. Braun)公司的一款硬件设备,用于连接外部设备以在患者数据管理系统、PC或USB记忆棒中记录数据。
B. Braun SpaceCom2 012U000062之前版本存在安全漏洞,该漏洞源于应用中公开的数据包括泵内部配置的临界值,远程攻击者可利用该漏洞通过窥探网络流量来获取敏感信息。
Severity
中
Patch Name
B. Braun SpaceCom2存在未明漏洞的补丁
Patch Description
B. Braun SpaceCom2是德国贝朗(B. Braun)公司的一款硬件设备,用于连接外部设备以在患者数据管理系统、PC或USB记忆棒中记录数据。
B. Braun SpaceCom2 012U000062之前版本存在安全漏洞,该漏洞源于应用中公开的数据包括泵内部配置的临界值,远程攻击者可利用该漏洞通过窥探网络流量来获取敏感信息。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://www.bbraunusa.com/en.html
Reference
https://www.bbraunusa.com/en.html
Impacted products
| Name | B. Braun SpaceCom2 <012U000062 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-33883",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-33883"
}
},
"description": "B. Braun SpaceCom2\u662f\u5fb7\u56fd\u8d1d\u6717\uff08B. Braun\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u786c\u4ef6\u8bbe\u5907\uff0c\u7528\u4e8e\u8fde\u63a5\u5916\u90e8\u8bbe\u5907\u4ee5\u5728\u60a3\u8005\u6570\u636e\u7ba1\u7406\u7cfb\u7edf\u3001PC\u6216USB\u8bb0\u5fc6\u68d2\u4e2d\u8bb0\u5f55\u6570\u636e\u3002\n\nB. Braun SpaceCom2 012U000062\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u4e2d\u516c\u5f00\u7684\u6570\u636e\u5305\u62ec\u6cf5\u5185\u90e8\u914d\u7f6e\u7684\u4e34\u754c\u503c\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7aa5\u63a2\u7f51\u7edc\u6d41\u91cf\u6765\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.bbraunusa.com/en.html",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-22469",
"openTime": "2022-03-24",
"patchDescription": "B. Braun SpaceCom2\u662f\u5fb7\u56fd\u8d1d\u6717\uff08B. Braun\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u786c\u4ef6\u8bbe\u5907\uff0c\u7528\u4e8e\u8fde\u63a5\u5916\u90e8\u8bbe\u5907\u4ee5\u5728\u60a3\u8005\u6570\u636e\u7ba1\u7406\u7cfb\u7edf\u3001PC\u6216USB\u8bb0\u5fc6\u68d2\u4e2d\u8bb0\u5f55\u6570\u636e\u3002\r\n\r\nB. Braun SpaceCom2 012U000062\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u4e2d\u516c\u5f00\u7684\u6570\u636e\u5305\u62ec\u6cf5\u5185\u90e8\u914d\u7f6e\u7684\u4e34\u754c\u503c\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7aa5\u63a2\u7f51\u7edc\u6d41\u91cf\u6765\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "B. Braun SpaceCom2\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "B. Braun SpaceCom2 \u003c012U000062"
},
"referenceLink": "https://www.bbraunusa.com/en.html",
"serverity": "\u4e2d",
"submitTime": "2021-08-27",
"title": "B. Braun SpaceCom2\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}
GHSA-5PRV-Q7HH-R3FG
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI?
Details
A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration.
{
"affected": [],
"aliases": [
"CVE-2021-33883"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-25T12:15:00Z",
"severity": "HIGH"
},
"details": "A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump\u0027s internal configuration.",
"id": "GHSA-5prv-q7hh-r3fg",
"modified": "2022-05-24T19:12:13Z",
"published": "2022-05-24T19:12:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33883"
},
{
"type": "WEB",
"url": "https://www.bbraunusa.com/en.htm"
},
{
"type": "WEB",
"url": "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump"
}
],
"schema_version": "1.4.0",
"severity": []
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…