Multiple vulnerabilities in Ypsomed mylife
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-27491 CVE-2021-27495 CVE-2021-27499 CVE-2021-27503 |
| CWE-ID | CWE-522 CWE-329 CWE-798 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ypsomed mylife Cloud Client/Desktop applications / Other client software Ypsomed mylife App Mobile applications / Apps for mobile phones |
| Vendor | Ypsomed |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Insufficiently protected credentials
EUVDB-ID: #VU54919
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27491
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficiently protected credentials. A remote attacker can disclose password hashes during the registration process.
MitigationInstall updates from vendor's website.
Vulnerable software versionsYpsomed mylife Cloud: All versions
Ypsomed mylife App: All versions
CPE2.3- cpe:2.3:a:ypsomed:ypsomed_mylife_cloud:*:*:*:*:*:*:*:*
- cpe:2.3:a:ypsomed:ypsomed_mylife_app:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsma-21-196-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficiently protected credentials
EUVDB-ID: #VU54920
Risk: Medium
CVSSv4.0: 4.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27495
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected software reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint. A remote authenticated attacker can disclose sensitive information on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsYpsomed mylife Cloud: All versions
Ypsomed mylife App: All versions
CPE2.3- cpe:2.3:a:ypsomed:ypsomed_mylife_cloud:*:*:*:*:*:*:*:*
- cpe:2.3:a:ypsomed:ypsomed_mylife_app:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsma-21-196-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Not Using an Unpredictable IV with CBC Mode
EUVDB-ID: #VU54921
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27499
CWE-ID:
CWE-329 - Not Using an Unpredictable IV with CBC Mode
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs. A remote attacker can perform a man-in-the-middle attack to tamper with messages.
MitigationInstall updates from vendor's website.
Vulnerable software versionsYpsomed mylife Cloud: All versions
Ypsomed mylife App: All versions
CPE2.3- cpe:2.3:a:ypsomed:ypsomed_mylife_cloud:*:*:*:*:*:*:*:*
- cpe:2.3:a:ypsomed:ypsomed_mylife_app:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsma-21-196-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use of hard-coded credentials
EUVDB-ID: #VU54922
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27503
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can perform a man-in-the-middle attack to tamper with messages.
MitigationInstall updates from vendor's website.
Vulnerable software versionsYpsomed mylife Cloud: All versions
Ypsomed mylife App: All versions
CPE2.3- cpe:2.3:a:ypsomed:ypsomed_mylife_cloud:*:*:*:*:*:*:*:*
- cpe:2.3:a:ypsomed:ypsomed_mylife_app:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsma-21-196-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
