Sign-up

ID

VAR-201610-0059


CVE

CVE-2016-5686


TITLE

Animas OneTouch Ping insulin pump contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#884840

DESCRIPTION

Johnson & Johnson Animas OneTouch Ping devices mishandle acknowledgements, which makes it easier for remote attackers to bypass authentication via a custom communication protocol. The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device. The attacker cannot obtain personally identifiable information. In addition, JVNVU#95089754 Then CWE-290 It is published as https://cwe.mitre.org/data/definitions/290.htmlAuthentication can be bypassed by third parties via custom communication protocols. Animas OneTouch Ping is prone to the following security vulnerabilities: 1. An information-disclosure vulnerability 2. Multiple security-bypass vulnerabilities 3. A Spoofing vulnerability An attacker can exploit these vulnerabilities to obtain sensitive information, bypass security restrictions, and perform certain unauthorized actions and to insert and display spoofed content. Other attacks are also possible. Animas OneTouch Ping is a medical self-service device for diabetic patients taking insulin from Animas Company of the United States

Trust: 2.7

sources: NVD: CVE-2016-5686 // CERT/CC: VU#884840 // JVNDB: JVNDB-2016-005123 // BID: 93351 // VULHUB: VHN-94505

AFFECTED PRODUCTS

vendor:animasmodel:onetouch pingscope: - version: -

Trust: 1.6

vendor:animasmodel:onetouch pingscope:eqversion: -

Trust: 1.6

vendor:johnson johnsonmodel: - scope: - version: -

Trust: 0.8

vendor:animasmodel:onetouch pingscope:eqversion:0

Trust: 0.3

sources: CERT/CC: VU#884840 // BID: 93351 // JVNDB: JVNDB-2016-005123 // CNNVD: CNNVD-201610-004 // NVD: CVE-2016-5686

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5686
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-5686
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201610-004
value: CRITICAL

Trust: 0.6

VULHUB: VHN-94505
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-5686
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-94505
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5686
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-94505 // JVNDB: JVNDB-2016-005123 // CNNVD: CNNVD-201610-004 // NVD: CVE-2016-5686

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-94505 // JVNDB: JVNDB-2016-005123 // NVD: CVE-2016-5686

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-004

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201610-004

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005123

PATCH
title:OneTouch Ping Glucose Management Systemurl:https://www.animas.com/diabetes-insulin-pump-and-bloog-glucose-meter/onetouch-ping-blood-glucose-monitor
Trust: 0.8
title:Important Information about the cybersecurity of your OneTouch Ping Insulin Infusion Pumpurl:https://www.animas.com/sites/default/files/pdf/FINAL%20Letter%20to%20patients%20regarding%20OTP_10.04.16.16_WEB%20VERSION.PDF
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-005123

EXTERNAL IDS
db:CERT/CCid:VU#884840
Trust: 3.6
db:NVDid:CVE-2016-5686
Trust: 2.8
db:BIDid:93351
Trust: 1.4
db:JVNid:JVNVU95089754
Trust: 0.8
db:JVNDBid:JVNDB-2016-005123
Trust: 0.8
db:CNNVDid:CNNVD-201610-004
Trust: 0.7
db:NSFOCUSid:34994
Trust: 0.6
db:ICS CERTid:ICSMA-16-279-01
Trust: 0.3
db:VULHUBid:VHN-94505
Trust: 0.1
sources:
            
            
            CERT/CC: VU#884840 // 
            
            
            
            VULHUB: VHN-94505 // 
            
            
            
            BID: 93351 // 
            
            
            
            JVNDB: JVNDB-2016-005123 // 
            
            
            
            CNNVD: CNNVD-201610-004 // 
            
            
            
            NVD: CVE-2016-5686

REFERENCES
url:https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump
Trust: 2.8
url:http://www.kb.cert.org/vuls/id/884840
Trust: 2.8
url:http://www.kb.cert.org/vuls/id/bluu-a9sqrs
Trust: 1.7
url:http://www.securityfocus.com/bid/93351
Trust: 1.1
url:https://www.animas.com/our-pumps/one-touch-ping
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5686
Trust: 0.8
url:http://jvn.jp/vu/jvnvu95089754/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5686
Trust: 0.8
url:http://www.nsfocus.net/vulndb/34994
Trust: 0.6
url:https://www.animas.com/diabetes-insulin-pump-and-bloog-glucose-meter/onetouch-ping-blood-glucose-monitor
Trust: 0.3
url:https://ics-cert.us-cert.gov/advisories/icsma-16-279-01
Trust: 0.3
sources:
            
            
            CERT/CC: VU#884840 // 
            
            
            
            VULHUB: VHN-94505 // 
            
            
            
            BID: 93351 // 
            
            
            
            JVNDB: JVNDB-2016-005123 // 
            
            
            
            CNNVD: CNNVD-201610-004 // 
            
            
            
            NVD: CVE-2016-5686

CREDITS
Tod Beardsley of Rapid7.
Trust: 0.3
sources:
            
            
            BID: 93351

SOURCES
db:CERT/CCid:VU#884840
db:VULHUBid:VHN-94505
db:BIDid:93351
db:JVNDBid:JVNDB-2016-005123
db:CNNVDid:CNNVD-201610-004
db:NVDid:CVE-2016-5686

LAST UPDATE DATE
2025-04-13T23:17:51.274000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#884840date:2016-10-11T00:00:00
db:VULHUBid:VHN-94505date:2016-11-28T00:00:00
db:BIDid:93351date:2016-10-10T05:02:00
db:JVNDBid:JVNDB-2016-005123date:2016-10-11T00:00:00
db:CNNVDid:CNNVD-201610-004date:2016-10-09T00:00:00
db:NVDid:CVE-2016-5686date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#884840date:2016-10-04T00:00:00
db:VULHUBid:VHN-94505date:2016-10-05T00:00:00
db:BIDid:93351date:2016-10-04T00:00:00
db:JVNDBid:JVNDB-2016-005123date:2016-10-11T00:00:00
db:CNNVDid:CNNVD-201610-004date:2016-10-09T00:00:00
db:NVDid:CVE-2016-5686date:2016-10-05T10:59:14.267