Authentication Bypass by Spoofing in SOOIL Developments Co., Ltd products - CVE-2020-27276

 

Authentication Bypass by Spoofing in SOOIL Developments Co., Ltd products - CVE-2020-27276

Published: January 14, 2021


Vulnerability identifier: #VU49521
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-27276
CWE-ID: CWE-290
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: SOOIL Developments Co., Ltd
Affected software:
Dana Diabecare RS
AnyDana-i
AnyDana-A

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to the communication protocol of the insulin pump and its mobile applications does not use adequate measures to authenticate the communicating entities before exchanging keys. A remote attacker on the local network can eavesdrop the authentication sequence via Bluetooth Low Energy.


How to mitigate CVE-2020-27276

Install updates from vendor's website.

Sources