CVE-2016-5084 - OpenCVE

Johnson & Johnson Animas OneTouch Ping devices do not use encryption for certain data, which might allow remote attackers to obtain sensitive information by sniffing the network.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Animas	Onetouch Ping Onetouch Ping Firmware

Configuration 1 [-]

AND

cpe:2.3:o:animas:onetouch_ping_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:animas:onetouch_ping:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.kb.cert.org/vuls/id/884840	Third Party Advisory US Government Resource
http://www.kb.cert.org/vuls/id/BLUU-A9SQRS	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/93351
https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump	Mitigation Technical Description Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2016-10-05T10:00:00

Updated: 2016-12-22T21:57:01

Reserved: 2016-05-26T00:00:00

Link: CVE-2016-5084

JSON object: View

NVD Information

Status : Modified

Published: 2016-10-05T10:59:10.640

Modified: 2016-12-24T02:59:41.233

Link: CVE-2016-5084

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-10-04T00:00:00", "descriptions": [{"lang": "en", "value": "Johnson & Johnson Animas OneTouch Ping devices do not use encryption for certain data, which might allow remote attackers to obtain sensitive information by sniffing the network."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-22T21:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump"}, {"tags": ["x_refsource_MISC"], "url": "http://www.kb.cert.org/vuls/id/BLUU-A9SQRS"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01"}, {"name": "VU#884840", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/884840"}, {"name": "93351", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/93351"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2016-5084", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Johnson & Johnson Animas OneTouch Ping devices do not use encryption for certain data, which might allow remote attackers to obtain sensitive information by sniffing the network."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump", "refsource": "MISC", "url": "https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump"}, {"name": "http://www.kb.cert.org/vuls/id/BLUU-A9SQRS", "refsource": "MISC", "url": "http://www.kb.cert.org/vuls/id/BLUU-A9SQRS"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01"}, {"name": "VU#884840", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/884840"}, {"name": "93351", "refsource": "BID", "url": "http://www.securityfocus.com/bid/93351"}]}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2016-5084", "datePublished": "2016-10-05T10:00:00", "dateReserved": "2016-05-26T00:00:00", "dateUpdated": "2016-12-22T21:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:animas:onetouch_ping_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F224343A-4892-49CD-98EA-FF561A50005F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:animas:onetouch_ping:-:*:*:*:*:*:*:*", "matchCriteriaId": "D2AD8306-9F6D-4277-A9CD-8CD24C9E4686", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Johnson & Johnson Animas OneTouch Ping devices do not use encryption for certain data, which might allow remote attackers to obtain sensitive information by sniffing the network."}, {"lang": "es", "value": "Dispositivos Johnson & Johnson Animas OneTouch Ping no usan cifrado para ciertos datos, lo que podr\u00eda permitir a atacantes remotos obtener informaci\u00f3n sensible rastreando la red."}], "id": "CVE-2016-5084", "lastModified": "2016-12-24T02:59:41.233", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-10-05T10:59:10.640", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/884840"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/BLUU-A9SQRS"}, {"source": "cret@cert.org", "url": "http://www.securityfocus.com/bid/93351"}, {"source": "cret@cert.org", "tags": ["Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump"}, {"source": "cret@cert.org", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}