B. Braun OnlineSuite Vulnerabilities
B. Braun has released updates to address three vulnerabilities in their OnlineSuite infusion platform. An attacker could exploit these to gain elevated privileges or execute code.
Summary
B. Braun has released updates to address three vulnerabilities in their OnlineSuite infusion platform. An attacker could exploit these to gain elevated privileges or execute code.
Affected platforms
The following platforms are known to be affected:
B. Braun OnlineSuite Versions: AP 3.0 and earlier
Threat details
Introduction
B. Braun has released details of three vulnerabilities affecting their OnlineSuite infusion management platform. They claim an unauthenticated local attacker could exploit some or all of these vulnerabilities to escalate their privileges, alter files, or execute arbitrary code.
Vulnerability details
The vulnerabilities appear to be the result of flaws in several components of the OnlineSuite platform:
- CVE-2020-25172 - CVSSv3: 8.6 - OnlineSuite is vulnerable to relative path traversal (CWE-23) as a result of it improperly validating user inputs. A user could exploit this to upload or alter files.
- CVE-2020-25174 - CVSSv3: 8.4 - OnlineSuite is vulnerable to DLL search order hijacking (CWE-427). A user could exploit this to escalate their privileges.
- CVE-2020-25170 CVSSv3: 6.9 - OnlineSuite function is vulnerable to Excel macro injection (CWE-1236) as a result of it's export function mishandling multiple input fields.
Remediation advice
B. Braun has confirmed that all three vulnerabilities are addressed in OnlineSuite update AIS06/20. Affected organisations are encouraged to contact their relevant suppliers to obtain and apply this update immediately.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 29 October 2020 4:04 pm