CVE-2016-5085 Information

Description

Johnson & Johnson Animas OneTouch Ping devices do not properly generate random numbers which makes it easier for remote attackers to spoof meters by sniffing the network and then engaging in an authentication handshake.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

http://www.kb.cert.org/vuls/id/884840 http://www.kb.cert.org/vuls/id/BLUU-A9SQRS http://www.securityfocus.com/bid/93351 https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5