Preliminary 1.1 version
Security Bulletin November 2013 - Critical
Security problem in Bruker TopSpin software installation may allow unrestricted access to computer’s
file system
Published: November 1, 2013
Version: 1.1
Executive Summary
This security update resolves a vulnerability in the “Diskless” component of the Bruker software “TopSpin”.
In the most severe case the vulnerability could allow unrestricted remote access to the computer’s file
system over a network connection. An attacker who successfully uses the vulnerability could read and
write arbitrary files with system permission level.
This security update is rated Critical for all installations of TopSpin version 2.1pl6 and above, up to and
including TopSpin 3.2pl4 under the Microsoft Windows operating systems. For more information, see the
sections Affected and Non-Affected Software.
Recommendation. If your TopSpin installation is affected please install the security patch provided by
Bruker. If your installation is used for processing purposes only, please uninstall the “Bruker Diskless”
package. For more information, see the section How to Solve the Issue below.
Affected Software
The problem only exists on Windows operating systems.
The problem exists in TopSpin versions 2.1pl6 and above, up to and including TopSpin 3.2pl4 if the
component “Bruker Diskless” has been installed (typical spectrometer workstation).
Non-Affected Software
TopSpin installations on Linux and Mac OS operating systems are not affected.
TopSpin 3.2pl5 is not affected.
The problem does not exist if the component “Bruker Diskless” has not been installed on the system.
Bruker software other than TopSpin is not affected.
How to Solve the Issue
In order to solve the issue you can implement one of the following measures:
1. TopSpin installations used for acquisition and processing (spectrometer workstation):
Install the security patch provided by Bruker. You can download this patch from the following web page:
https://www.bruker.com/service/support-upgrades/software-downloads/nmr/securitybulletinnov2013.html
If you cannot access this location, you can also download the patch from
http://bruker.telemaxx.net/patch/patch-bkb12135-windows.exe
Alternatively, you can get this patch by opening the related entry #12135 in the Bruker Knowledge Base:
http://www.bruker.com/cgi-bin/bkb/show_bug.cgi?id=12135 and downloading the attached patch file.
Please note that you will need a customer login in order to access the Bruker Knowledge Base web pages.
If you cannot access the Bruker web pages you can get the fix directly from Bruker NMR support, by email
to [email protected] .
Windows 7, Windows Vista Systems
Double-click the patch file in order to execute it. Windows will display the User Account Control
dialog box and ask you to agree to let the program make changes to your computer. You will either
need to provide the credentials of an Administrator account, or at least need to confirm the
execution by selecting “Yes”. The patch installer will run now. Please review any messages
displayed on screen: the patch installer will either report “success” if the patch has been applied
successfully, or “nothing changed” if your system is not affected. In case of “failure” please get in
contact with Bruker NMR support for further assistance.
Windows XP
While holding down the “Shift” key, perform a right-mouse-button click on the patch file, and
select “Run as Administrator”. Alternatively, logoff from your system, then login with an
Administrators’ account, and execute the patch file. The patch installer will run now. Please review
any messages displayed on screen.
2. TopSpin installations only used for processing (data station):
Uninstall the “Bruker Diskless” package. This is the recommended option for processing-only installations
and does not cause any limitations for your work. In order to achieve this, do one of the following:
Alternative 1:
Click on the start button of the Windows desktop, then select
for TopSpin 2.1:
“All Programs”,
“Bruker TOPSPIN”,
“TOPSPIN 2.1”,
“Uninstall”,
“Uninstall Diskless”,
for TopSpin 3.0 or 3.1
“All Programs”,
“Bruker TOPSPIN”,
“Uninstall”,
“Uninstall Diskless”,
for TopSpin 3.2:
“All Programs”,
“Bruker NMR Software”
“Uninstall”,
“Uninstall Diskless”,
and follow the instructions shown on screen.
Alternative 2:
Open Windows’ control panel, choose “Programs”, select the entry “Bruker Diskless” and then
click on “uninstall” and follow the instructions shown on screen.
If an entry “Bruker Diskless” is not present at all, this component has not been installed and the system is
not affected by the problem described in this bulletin.
FAQs (Frequently Asked Questions)
Q: Does the patch resolve the issue completely?
A: Yes, no further actions are required.
Q: Do I need to install the patch if TopSpin 3.2pl5 has been installed?
A: No. TopSpin 3.2pl5 already includes the required corrections.
Q: My spectrometer operates under GLP conditions. Do I need to perform a complete re-validation after
installation of the patch?
A: That may depend on your local regulations. However, the patch does not affect any part of the
spectrometer control, acquisition, or processing code. From that, Bruker estimates that a new validation of
your system should not be required.
Q: I have several TopSpin versions installed. Do I need to install the patch for every installation?
A: No. It is sufficient to run the patch installer once.
Revisions
V1.0 (November 1, 2013): Bulletin published.
V1.1 (November 4, 2013): Minor textual changes, FAQs added.
Contact
Bruker BioSpin GmbH
Silberstreifen
D-76287 Rheinstetten, Germany
[email protected]