Insufficiently protected credentials in SOOIL Developments Co., Ltd products - CVE-2020-27270

 

Insufficiently protected credentials in SOOIL Developments Co., Ltd products - CVE-2020-27270

Published: January 14, 2021


Vulnerability identifier: #VU49519
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-27270
CWE-ID: CWE-522
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: SOOIL Developments Co., Ltd
Affected software:
Dana Diabecare RS
AnyDana-i
AnyDana-A

Detailed vulnerability description

The vulnerability allows a remot attacker to gain access to potentially sensitive information.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to protect encryption keys in transit. A remote attacker on the local network can sniff the keys via Bluetooth Low Energy.


How to mitigate CVE-2020-27270

Install updates from vendor's website.

Sources