CVE-2020-27270 - OpenCVE

SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE).

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sooil	Anydana-a Anydana-a Firmware Anydana-i Firmware Anydana-i Diabecare Rs Diabecare Rs Firmware

Configuration 1 [-]

AND

cpe:2.3:o:sooil:anydana-a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:anydana-a:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:sooil:anydana-i_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:anydana-i:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:sooil:diabecare_rs_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sooil:diabecare_rs:-:*:*:*:*:*:*:*

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2021-01-19T16:17:59

Updated: 2021-01-19T16:17:59

Reserved: 2020-10-19T00:00:00

Link: CVE-2020-27270

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-19T17:15:12.520

Modified: 2021-01-23T00:41:53.697

Link: CVE-2020-27270

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "SOOIL Developments CoLtd DiabecareRS,AnyDana-i,AnyDana-A", "vendor": "n/a", "versions": [{"status": "affected", "version": "Dana DiabecareRS,AnyDana-i,AnyDana-A,versions prior to 3.0"}]}], "descriptions": [{"lang": "en", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE)."}], "problemTypes": [{"descriptions": [{"description": "UNPROTECTED TRANSPORT OF CREDENTIALS CWE523", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-19T16:17:59", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-27270", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SOOIL Developments CoLtd DiabecareRS,AnyDana-i,AnyDana-A", "version": {"version_data": [{"version_value": "Dana DiabecareRS,AnyDana-i,AnyDana-A,versions prior to 3.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "UNPROTECTED TRANSPORT OF CREDENTIALS CWE523"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-27270", "datePublished": "2021-01-19T16:17:59", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2021-01-19T16:17:59", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sooil:anydana-a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "808DBA89-C2C2-4C03-814D-DB0B4DFF8B22", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sooil:anydana-a:-:*:*:*:*:*:*:*", "matchCriteriaId": "2624582E-762F-4CDB-B974-1BC971F1544D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sooil:anydana-i_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "98E25B7D-C1ED-4144-8411-171C7B6426E4", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sooil:anydana-i:-:*:*:*:*:*:*:*", "matchCriteriaId": "E25CB863-07D9-4E90-8022-6C2B4C52EDFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sooil:diabecare_rs_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5C154F1-7F29-4EC0-9971-76A02C6DA8BC", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sooil:diabecare_rs:-:*:*:*:*:*:*:*", "matchCriteriaId": "8628A530-AF34-453E-968A-40DD5B8EE456", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE)."}, {"lang": "es", "value": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, el protocolo de comunicaci\u00f3n de la bomba de insulina y las aplicaciones m\u00f3viles AnyDana-i, AnyDana-A no utilizan las medidas adecuadas para proteger las claves de cifrado en tr\u00e1nsito, lo que permite a un atacante f\u00edsicamente pr\u00f3ximo no autenticado rastrear claves por medio de (BLE)"}], "id": "CVE-2020-27270", "lastModified": "2021-01-23T00:41:53.697", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-19T17:15:12.520", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}