Improper Authentication in SOOIL Developments Co., Ltd products - CVE-2020-27272

 

Improper Authentication in SOOIL Developments Co., Ltd products - CVE-2020-27272

Published: January 14, 2021


Vulnerability identifier: #VU49520
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-27272
CWE-ID: CWE-287
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: SOOIL Developments Co., Ltd
Affected software:
Dana Diabecare RS
AnyDana-i
AnyDana-A

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to authenticate the pump before exchanging keys. A remote attacker on the local network can eavesdrop the keys and spoof the pump via Bluetooth Low Energy.


How to mitigate CVE-2020-27272

Install updates from vendor's website.

Sources