CVE-2020-27270

SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE).

CVSS v3 5.7 MEDIUM
CVSS v2.0 2.9 LOW

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.9^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 5.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01	Third Party Advisory US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:sooil:anydana-a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:anydana-a:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:sooil:anydana-i_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:anydana-i:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:sooil:diabecare_rs_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:diabecare_rs:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:20

Type	Values Removed	Values Added
References	~~() https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01 - Third Party Advisory, US Government Resource~~	() https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01 - Third Party Advisory, US Government Resource

Information

Published : 2021-01-19 17:15

Updated : 2024-11-21 05:20

NVD link : CVE-2020-27270

Mitre link : CVE-2020-27270

CVE.ORG link : CVE-2020-27270

JSON object : View

Products Affected

sooil

anydana-i
anydana-i_firmware
diabecare_rs
anydana-a_firmware
diabecare_rs_firmware
anydana-a

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2020-27270", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.9, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 5.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2021-01-19T17:15:12.520", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE)."}, {"lang": "es", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, el protocolo de comunicaci\u00f3n de la bomba de insulina y las aplicaciones m\u00f3viles AnyDana-i, AnyDana-A no utilizan las medidas adecuadas para proteger las claves de cifrado en tr\u00e1nsito, lo que permite a un atacante f\u00edsicamente pr\u00f3ximo no autenticado rastrear claves por medio de (BLE)"}], "lastModified": "2024-11-21T05:20:58.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:sooil:anydana-a_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "808DBA89-C2C2-4C03-814D-DB0B4DFF8B22", "versionEndExcluding": "3.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:sooil:anydana-a:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2624582E-762F-4CDB-B974-1BC971F1544D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:sooil:anydana-i_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98E25B7D-C1ED-4144-8411-171C7B6426E4", "versionEndExcluding": "3.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:sooil:anydana-i:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E25CB863-07D9-4E90-8022-6C2B4C52EDFC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:sooil:diabecare_rs_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5C154F1-7F29-4EC0-9971-76A02C6DA8BC", "versionEndExcluding": "3.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:sooil:diabecare_rs:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8628A530-AF34-453E-968A-40DD5B8EE456"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}