SB2021011309 - Multiple vulnerabilities in SOOIL Dana Diabecare RS Products

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Use of hard-coded credentials (CVE-ID: CVE-2020-27256)

The vulnerability allows a local attacker to gain full access to vulnerable system.

The vulnerability exists due to a hard-coded physician PIN in the physician menu of the insulin pump. An attacker with physical access can change insulin therapy settings.

2) Insufficiently protected credentials (CVE-ID: CVE-2020-27258)

The vulnerability allows a remot attacker to gain access to potentially sensitive information.

The vulnerability exists due to insufficiently protected credentials in the communication protocol of the insulin pump and its mobile applications. A remote attacker on the local network can extract the pump’s keypad lock PIN via Bluetooth Low Energy.

3) Use of insufficiently random values (CVE-ID: CVE-2020-27264)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications use deterministic keys. A remote attacker on the local network can brute-force the keys via Bluetooth Low Energy.

4) Use of Client-Side Authentication (CVE-ID: CVE-2020-27266)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information on the system.

The vulnerability exists due a client-side control issue in the insulin pump and its mobile applications. A remote attacker on the local network can bypass user authentication checks via Bluetooth Low Energy.

5) Client-Side Enforcement of Server-Side Security (CVE-ID: CVE-2020-27268)

The vulnerability aloows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to a client-side control issue in the insulin pump and its mobile applications. A remote attacker on the local network can bypass checks for default PINs via Bluetooth Low Energy. 

6) Authentication Bypass by Capture-replay (CVE-ID: CVE-2020-27269)

The vulnerability allows a remote attacker to bypass authentication on the target system.

The vulnerability exists due to the communication protocol of the insulin pump and its applications lacks replay protection measures. A remote attacker on the local network can replay communication sequences via Bluetooth Low Energy.

7) Insufficiently protected credentials (CVE-ID: CVE-2020-27270)

The vulnerability allows a remot attacker to gain access to potentially sensitive information.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to protect encryption keys in transit. A remote attacker on the local network can sniff the keys via Bluetooth Low Energy.

8) Improper Authentication (CVE-ID: CVE-2020-27272)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to authenticate the pump before exchanging keys. A remote attacker on the local network can eavesdrop the keys and spoof the pump via Bluetooth Low Energy.

9) Authentication Bypass by Spoofing (CVE-ID: CVE-2020-27276)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to authenticate the communicating entities before exchanging keys. A remote attacker on the local network can eavesdrop the authentication sequence via Bluetooth Low Energy.

Remediation

Install update from vendor's website.

References

• https://ics-cert.us-cert.gov/advisories/icsma-21-012-01