CVE-2020-10627

Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.

CVSS v3 8.1 HIGH
CVSS v2.0 4.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 6.5 / Impact : 4.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01	Third Party Advisory US Government Resource
https://www.myomnipod.com/security-bulletins	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:insulet:omnipod_insulin_management_system_firmware:-:*:*:*:*:*:*:*

OR	cpe:2.3:h:insulet:omnipod_insulin_management_system:19191:::::::*
	cpe:2.3:h:insulet:omnipod_insulin_management_system:40160:::::::*

History

No history.

Information

Published : 2021-12-01 16:15

Updated : 2023-09-25 02:30

NVD link : CVE-2020-10627

Mitre link : CVE-2020-10627

CVE.ORG link : CVE-2020-10627

JSON object : View

Products Affected

insulet

omnipod_insulin_management_system
omnipod_insulin_management_system_firmware

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2020-10627", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.5}]}, "published": "2021-12-01T16:15:07.390", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-079-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.myomnipod.com/security-bulletins", "tags": ["Vendor Advisory"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."}, {"lang": "es", "value": "La bomba de insulina Insulet Omnipod Insulin Management System, con ID de producto 19191 y 40160, est\u00e1 dise\u00f1ada para comunicarse mediante RF inal\u00e1mbrica con un dispositivo de administraci\u00f3n personal de la diabetes fabricado por Insulet. Este protocolo de comunicaci\u00f3n de RF inal\u00e1mbrica no implementa apropiadamente la autenticaci\u00f3n o la autorizaci\u00f3n. Un atacante con acceso a uno de los modelos de bomba de insulina afectados podr\u00eda ser capaz de modificar y/o interceptar datos. Esta vulnerabilidad tambi\u00e9n podr\u00eda permitir a atacantes cambiar la configuraci\u00f3n de la bomba y controlar la administraci\u00f3n de insulina"}], "lastModified": "2023-09-25T02:30:38.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:insulet:omnipod_insulin_management_system_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC41AB2D-AB47-41B7-AEBA-AB4C0A8608A5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:insulet:omnipod_insulin_management_system:19191:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "98184BD3-4593-4194-A00C-9C064BE96144"}, {"criteria": "cpe:2.3:h:insulet:omnipod_insulin_management_system:40160:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7AF53C0A-02F1-4F3C-996F-E0E5269034C2"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}