CVE-2020-10627 (GCVE-0-2020-10627)

Vulnerability from cvelistv5 – Published: 2021-12-01 15:38 – Updated: 2024-08-04 11:06
VLAI?
Summary
Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.
Severity ?
7.3 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Insulet Omnipod Insulin Management System Affected: 19191
Affected: 40160
Affected: ZXP425
Affected: ZXR425
Create a notification for this product.
Credits
Thirdwayv Inc. reported this vulnerability to Insulet
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:10.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.myomnipod.com/security-bulletins"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Omnipod Insulin Management System",
          "vendor": "Insulet",
          "versions": [
            {
              "status": "affected",
              "version": "19191"
            },
            {
              "status": "affected",
              "version": "40160"
            },
            {
              "status": "affected",
              "version": "ZXP425"
            },
            {
              "status": "affected",
              "version": "ZXR425"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thirdwayv Inc. reported this vulnerability to Insulet"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-01T15:38:31",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.myomnipod.com/security-bulletins"
        }
      ],
      "source": {
        "advisory": "ICSMA-20-079-01",
        "discovery": "EXTERNAL"
      },
      "workarounds": [
        {
          "lang": "en",
          "value": "Insulet recommends patients using the affected products talk to their healthcare provider about the risks of continued use, including the possibility of changing to the latest model with increased cybersecurity protection.\nAdditionally, Insulet recommends all patients take the cybersecurity precautions indicated below.\n\n    Do not connect to or allow any third-party devices to be connected to or use any software not authorized by Insulet.\n    Maintain tight physical control of the pump and devices connected to the pump.\n    Be attentive to pump notifications, alarms, and alerts.\n    Immediately cancel any unintended boluses (a single dose of insulin administered all at once).\n    Monitor blood glucose levels closely and act as appropriate.\n    Get medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis or if you suspect insulin pump settings or insulin delivery has changed unexpectedly.\n\nInsulet has released additional patient-focused information: https://www.myomnipod.com/security-bulletins \n\nMore information is available regarding Insulet\u2019s product security and vulnerability management: https://www.myomnipod.com/product-security "
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-10627",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Omnipod Insulin Management System",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "19191"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "40160"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "ZXP425"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "ZXR425"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Insulet"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thirdwayv Inc. reported this vulnerability to Insulet"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284 Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01"
            },
            {
              "name": "https://www.myomnipod.com/security-bulletins",
              "refsource": "MISC",
              "url": "https://www.myomnipod.com/security-bulletins"
            }
          ]
        },
        "source": {
          "advisory": "ICSMA-20-079-01",
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Insulet recommends patients using the affected products talk to their healthcare provider about the risks of continued use, including the possibility of changing to the latest model with increased cybersecurity protection.\nAdditionally, Insulet recommends all patients take the cybersecurity precautions indicated below.\n\n    Do not connect to or allow any third-party devices to be connected to or use any software not authorized by Insulet.\n    Maintain tight physical control of the pump and devices connected to the pump.\n    Be attentive to pump notifications, alarms, and alerts.\n    Immediately cancel any unintended boluses (a single dose of insulin administered all at once).\n    Monitor blood glucose levels closely and act as appropriate.\n    Get medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis or if you suspect insulin pump settings or insulin delivery has changed unexpectedly.\n\nInsulet has released additional patient-focused information: https://www.myomnipod.com/security-bulletins \n\nMore information is available regarding Insulet\u2019s product security and vulnerability management: https://www.myomnipod.com/product-security "
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-10627",
    "datePublished": "2021-12-01T15:38:31",
    "dateReserved": "2020-03-16T00:00:00",
    "dateUpdated": "2024-08-04T11:06:10.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:insulet:omnipod_insulin_management_system_firmware:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FC41AB2D-AB47-41B7-AEBA-AB4C0A8608A5\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:insulet:omnipod_insulin_management_system:19191:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"98184BD3-4593-4194-A00C-9C064BE96144\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:insulet:omnipod_insulin_management_system:40160:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7AF53C0A-02F1-4F3C-996F-E0E5269034C2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.\"}, {\"lang\": \"es\", \"value\": \"La bomba de insulina Insulet Omnipod Insulin Management System, con ID de producto 19191 y 40160, est\\u00e1 dise\\u00f1ada para comunicarse mediante RF inal\\u00e1mbrica con un dispositivo de administraci\\u00f3n personal de la diabetes fabricado por Insulet. Este protocolo de comunicaci\\u00f3n de RF inal\\u00e1mbrica no implementa apropiadamente la autenticaci\\u00f3n o la autorizaci\\u00f3n. Un atacante con acceso a uno de los modelos de bomba de insulina afectados podr\\u00eda ser capaz de modificar y/o interceptar datos. Esta vulnerabilidad tambi\\u00e9n podr\\u00eda permitir a atacantes cambiar la configuraci\\u00f3n de la bomba y controlar la administraci\\u00f3n de insulina\"}]",
      "id": "CVE-2020-10627",
      "lastModified": "2024-11-21T04:55:43.637",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 4.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:A/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 4.8, \"accessVector\": \"ADJACENT_NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.5, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-12-01T16:15:07.390",
      "references": "[{\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.myomnipod.com/security-bulletins\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.myomnipod.com/security-bulletins\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-10627\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2021-12-01T16:15:07.390\",\"lastModified\":\"2024-11-21T04:55:43.637\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.\"},{\"lang\":\"es\",\"value\":\"La bomba de insulina Insulet Omnipod Insulin Management System, con ID de producto 19191 y 40160, est\u00e1 dise\u00f1ada para comunicarse mediante RF inal\u00e1mbrica con un dispositivo de administraci\u00f3n personal de la diabetes fabricado por Insulet. Este protocolo de comunicaci\u00f3n de RF inal\u00e1mbrica no implementa apropiadamente la autenticaci\u00f3n o la autorizaci\u00f3n. Un atacante con acceso a uno de los modelos de bomba de insulina afectados podr\u00eda ser capaz de modificar y/o interceptar datos. Esta vulnerabilidad tambi\u00e9n podr\u00eda permitir a atacantes cambiar la configuraci\u00f3n de la bomba y controlar la administraci\u00f3n de insulina\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.5,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":4.8,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.5,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:insulet:omnipod_insulin_management_system_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC41AB2D-AB47-41B7-AEBA-AB4C0A8608A5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:insulet:omnipod_insulin_management_system:19191:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98184BD3-4593-4194-A00C-9C064BE96144\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:insulet:omnipod_insulin_management_system:40160:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7AF53C0A-02F1-4F3C-996F-E0E5269034C2\"}]}]}],\"references\":[{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.myomnipod.com/security-bulletins\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.myomnipod.com/security-bulletins\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.