ICSMA-21-196-01

Vulnerability from csaf_cisa - Published: 2021-07-15 00:00 - Updated: 2021-07-15 00:00
Summary
ICSMA-21-196-01_Ypsomed mylife

Notes

CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Summary
Julian Suleder, Linda Huischen, and Nils Emmerich of ERNW Research GmbH and Dr. Oliver Matula of Enno Rey Netzwerke GmbH (ERNW) reported these vulnerabilities to the Federal Office for Information Security (BSI, Germany), in the context of the BSI project ManiMed - Manipulation of Medical Devices.
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Exploitability
No known public exploits specifically target these vulnerabilities.
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Julian Suleder",
          "Linda Huischen",
          "Nils Emmerich"
        ],
        "organization": "ERNW Research GmbH",
        "summary": "reporting these vulnerabilities to the Federal Office for Information Security (BSI, Germany), in the context of the BSI project ManiMed - Manipulation of Medical Devices"
      },
      {
        "names": [
          "Dr. Oliver Matula"
        ],
        "organization": "Enno Rey Netzwerke GmbH (ERNW)",
        "summary": "reporting these vulnerabilities to the Federal Office for Information Security (BSI, Germany), in the context of the BSI project ManiMed - Manipulation of Medical Devices"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "summary",
        "text": "Julian Suleder, Linda Huischen, and Nils Emmerich of ERNW Research GmbH and Dr. Oliver Matula of Enno Rey Netzwerke GmbH (ERNW) reported these vulnerabilities to the Federal Office for Information Security (BSI, Germany), in the context of the BSI project ManiMed - Manipulation of Medical Devices.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "CISAservicedesk@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-21-196-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsma-21-196-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-21-196-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-196-01"
      }
    ],
    "title": "ICSMA-21-196-01_Ypsomed mylife",
    "tracking": {
      "current_release_date": "2021-07-15T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA USCert CSAF Generator",
          "version": "1"
        }
      },
      "id": "ICSMA-21-196-01",
      "initial_release_date": "2021-07-15T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2021-07-15T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-21-196-01 Ypsomed mylife"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 1.7.5",
                "product": {
                  "name": "Ypsomed mylife App: All versions prior to 1.7.5",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Ypsomed mylife App"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 1.7.2",
                "product": {
                  "name": "Ypsomed mylife Cloud: All versions prior to 1.7.2",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Ypsomed mylife Cloud"
          }
        ],
        "category": "vendor",
        "name": "Ypsomed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-27491",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The Ypsomed mylife Cloud discloses password hashes during the registration process.CVE-2021-27491 has been assigned to this vulnerability. A CVSS v3 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Ypsomed has taken action to update the affected mylife Cloud backend services to mitigate the vulnerabilities affecting the mylife Cloud in versions prior to 1.7.2. Ypsomed recommends users with the affected mobile application to update to the latest available application Version 1.7.5 or later.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2021-27491"
    },
    {
      "cve": "CVE-2021-27495",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint.CVE-2021-27495 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Ypsomed has taken action to update the affected mylife Cloud backend services to mitigate the vulnerabilities affecting the mylife Cloud in versions prior to 1.7.2. Ypsomed recommends users with the affected mobile application to update to the latest available application Version 1.7.5 or later.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2021-27495"
    },
    {
      "cve": "CVE-2021-27499",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages.CVE-2021-27499 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Ypsomed has taken action to update the affected mylife Cloud backend services to mitigate the vulnerabilities affecting the mylife Cloud in versions prior to 1.7.2. Ypsomed recommends users with the affected mobile application to update to the latest available application Version 1.7.5 or later.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2021-27499"
    },
    {
      "cve": "CVE-2021-27503",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The application encrypts on the application layer of the communication protocol between the Ypsomed mylife App and mylife Cloud credentials based on hard-coded secrets, which allows man-in-the-middle attackers to tamper with messages.CVE-2021-27503 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Ypsomed has taken action to update the affected mylife Cloud backend services to mitigate the vulnerabilities affecting the mylife Cloud in versions prior to 1.7.2. Ypsomed recommends users with the affected mobile application to update to the latest available application Version 1.7.5 or later.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "CVE-2021-27503"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.