Multiple vulnerabilities in SOOIL Dana Diabecare RS Products



Published: 2021-01-13 | Updated: 2021-01-14
Risk Low
Patch available YES
Number of vulnerabilities 9
CVE ID CVE-2020-27256
CVE-2020-27258
CVE-2020-27264
CVE-2020-27266
CVE-2020-27268
CVE-2020-27269
CVE-2020-27270
CVE-2020-27272
CVE-2020-27276
CWE ID CWE-798
CWE-522
CWE-330
CWE-603
CWE-602
CWE-294
CWE-287
CWE-290
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
Dana Diabecare RS
Hardware solutions / Medical equipment

AnyDana-i
Hardware solutions / Medical equipment

AnyDana-A
Hardware solutions / Medical equipment

Vendor SOOIL Developments Co., Ltd

Security Advisory

Updated 14.1.2021

Added vulnerabilities #6-9

1) Use of hard-coded credentials

Risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-27256

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a local attacker to gain full access to vulnerable system.

The vulnerability exists due to a hard-coded physician PIN in the physician menu of the insulin pump. An attacker with physical access can change insulin therapy settings.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Insufficiently protected credentials

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27258

CWE-ID: CWE-522 - Insufficiently Protected Credentials

Exploit availability: No

Description

The vulnerability allows a remot attacker to gain access to potentially sensitive information.

The vulnerability exists due to insufficiently protected credentials in the communication protocol of the insulin pump and its mobile applications. A remote attacker on the local network can extract the pump’s keypad lock PIN via Bluetooth Low Energy.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of insufficiently random values

Risk: Low

CVSSv3.1: 6.6 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27264

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications use deterministic keys. A remote attacker on the local network can brute-force the keys via Bluetooth Low Energy.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use of Client-Side Authentication

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27266

CWE-ID: CWE-603 - Use of Client-Side Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information on the system.

The vulnerability exists due a client-side control issue in the insulin pump and its mobile applications. A remote attacker on the local network can bypass user authentication checks via Bluetooth Low Energy.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Client-Side Enforcement of Server-Side Security

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27268

CWE-ID: CWE-602 - Client-Side Enforcement of Server-Side Security

Exploit availability: No

Description

The vulnerability aloows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to a client-side control issue in the insulin pump and its mobile applications. A remote attacker on the local network can bypass checks for default PINs via Bluetooth Low Energy. 

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Authentication Bypass by Capture-replay

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27269

CWE-ID: CWE-294 - Authentication Bypass by Capture-replay

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication on the target system.

The vulnerability exists due to the communication protocol of the insulin pump and its applications lacks replay protection measures. A remote attacker on the local network can replay communication sequences via Bluetooth Low Energy.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Insufficiently protected credentials

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27270

CWE-ID: CWE-522 - Insufficiently Protected Credentials

Exploit availability: No

Description

The vulnerability allows a remot attacker to gain access to potentially sensitive information.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to protect encryption keys in transit. A remote attacker on the local network can sniff the keys via Bluetooth Low Energy.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper Authentication

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27272

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to authenticate the pump before exchanging keys. A remote attacker on the local network can eavesdrop the keys and spoof the pump via Bluetooth Low Energy.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Authentication Bypass by Spoofing

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-27276

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to authenticate the communicating entities before exchanging keys. A remote attacker on the local network can eavesdrop the authentication sequence via Bluetooth Low Energy.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Dana Diabecare RS: before 3.0

AnyDana-i: before 3.0

AnyDana-A: before 3.0

CPE External links

https://ics-cert.us-cert.gov/advisories/icsma-21-012-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###