CVE-2020-27272 - OpenCVE

SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn't use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via BLE.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sooil	Anydana-a Anydana-a Firmware Anydana-i Anydana-i Firmware Diabecare Rs Diabecare Rs Firmware

Configuration 1 [-]

AND

cpe:2.3:o:sooil:anydana-a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:anydana-a:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:sooil:anydana-i_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:anydana-i:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:sooil:diabecare_rs_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:diabecare_rs:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-01-19T16:18:13

Updated: 2024-08-04T16:11:36.580Z

Reserved: 2020-10-19T00:00:00

Link: CVE-2020-27272

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-19T17:15:12.613

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-27272

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SOOIL Developments CoLtd DiabecareRS,AnyDana-i,AnyDana-A", "vendor": "n/a", "versions": [{"status": "affected", "version": "Dana Diabecare RS,AnyDana-i,AnyDana-A versions prior to 3.0"}]}], "descriptions": [{"lang": "en", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn't use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via BLE."}], "problemTypes": [{"descriptions": [{"description": "KEY EXCHANGE WITHOUT ENTITY AUTHENTICATION CWE322", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-19T16:18:13", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-27272", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SOOIL Developments CoLtd DiabecareRS,AnyDana-i,AnyDana-A", "version": {"version_data": [{"version_value": "Dana Diabecare RS,AnyDana-i,AnyDana-A versions prior to 3.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn't use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via BLE."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "KEY EXCHANGE WITHOUT ENTITY AUTHENTICATION CWE322"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.580Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-27272", "datePublished": "2021-01-19T16:18:13", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2024-08-04T16:11:36.580Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sooil:anydana-a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "808DBA89-C2C2-4C03-814D-DB0B4DFF8B22", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sooil:anydana-a:-:*:*:*:*:*:*:*", "matchCriteriaId": "2624582E-762F-4CDB-B974-1BC971F1544D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sooil:anydana-i_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "98E25B7D-C1ED-4144-8411-171C7B6426E4", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sooil:anydana-i:-:*:*:*:*:*:*:*", "matchCriteriaId": "E25CB863-07D9-4E90-8022-6C2B4C52EDFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sooil:diabecare_rs_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5C154F1-7F29-4EC0-9971-76A02C6DA8BC", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sooil:diabecare_rs:-:*:*:*:*:*:*:*", "matchCriteriaId": "8628A530-AF34-453E-968A-40DD5B8EE456", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn't use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via BLE."}, {"lang": "es", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, El protocolo de comunicaci\u00f3n de la bomba de insulina y las aplicaciones m\u00f3viles AnyDana-i, AnyDana-A no utilizan las medidas adecuadas para autenticar la bomba antes de intercambiar claves, lo que permite no autenticarse a atacantes f\u00edsicamente cerca para escuchar las claves y falsificar la bomba por medio de BLE"}], "id": "CVE-2020-27272", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-19T17:15:12.613", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}