Sign-up

ID

VAR-201610-0160


CVE

CVE-2016-5084


TITLE

Animas OneTouch Ping insulin pump contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#884840

DESCRIPTION

Johnson & Johnson Animas OneTouch Ping devices do not use encryption for certain data, which might allow remote attackers to obtain sensitive information by sniffing the network. The attacker cannot obtain personally identifiable information. In addition, JVNVU#95089754 Then CWE-319 It is published as https://cwe.mitre.org/data/definitions/319.htmlIf a third party intercepts the network, important information may be obtained. Animas OneTouch Ping is prone to the following security vulnerabilities: 1. An information-disclosure vulnerability 2. Multiple security-bypass vulnerabilities 3. A Spoofing vulnerability An attacker can exploit these vulnerabilities to obtain sensitive information, bypass security restrictions, and perform certain unauthorized actions and to insert and display spoofed content. Other attacks are also possible. Animas OneTouch Ping is a medical self-service device for diabetic patients taking insulin from Animas Company of the United States. The Animas OneTouch Ping device has a security flaw, which stems from the fact that the program does not encrypt data

Trust: 2.7

sources: NVD: CVE-2016-5084 // CERT/CC: VU#884840 // JVNDB: JVNDB-2016-005120 // BID: 93351 // VULHUB: VHN-93903

AFFECTED PRODUCTS

vendor:animasmodel:onetouch pingscope: - version: -

Trust: 1.6

vendor:animasmodel:onetouch pingscope:eqversion: -

Trust: 1.6

vendor:johnson johnsonmodel: - scope: - version: -

Trust: 0.8

vendor:animasmodel:onetouch pingscope:eqversion:0

Trust: 0.3

sources: CERT/CC: VU#884840 // BID: 93351 // JVNDB: JVNDB-2016-005120 // CNNVD: CNNVD-201610-007 // NVD: CVE-2016-5084

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5084
value: HIGH

Trust: 1.0

NVD: CVE-2016-5084
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201610-007
value: MEDIUM

Trust: 0.6

VULHUB: VHN-93903
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-5084
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-93903
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5084
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-93903 // JVNDB: JVNDB-2016-005120 // CNNVD: CNNVD-201610-007 // NVD: CVE-2016-5084

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-93903 // JVNDB: JVNDB-2016-005120 // NVD: CVE-2016-5084

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-007

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201610-007

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005120

PATCH
title:OneTouch Ping Glucose Management Systemurl:https://www.animas.com/diabetes-insulin-pump-and-bloog-glucose-meter/onetouch-ping-blood-glucose-monitor
Trust: 0.8
title:Important Information about the cybersecurity of your OneTouch Ping Insulin Infusion Pumpurl:https://www.animas.com/sites/default/files/pdf/FINAL%20Letter%20to%20patients%20regarding%20OTP_10.04.16.16_WEB%20VERSION.PDF
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-005120

EXTERNAL IDS
db:CERT/CCid:VU#884840
Trust: 3.6
db:NVDid:CVE-2016-5084
Trust: 2.8
db:ICS CERTid:ICSMA-16-279-01
Trust: 2.2
db:BIDid:93351
Trust: 1.4
db:JVNid:JVNVU95089754
Trust: 0.8
db:JVNDBid:JVNDB-2016-005120
Trust: 0.8
db:CNNVDid:CNNVD-201610-007
Trust: 0.7
db:NSFOCUSid:34991
Trust: 0.6
db:VULHUBid:VHN-93903
Trust: 0.1
sources:
            
            
            CERT/CC: VU#884840 // 
            
            
            
            VULHUB: VHN-93903 // 
            
            
            
            BID: 93351 // 
            
            
            
            JVNDB: JVNDB-2016-005120 // 
            
            
            
            CNNVD: CNNVD-201610-007 // 
            
            
            
            NVD: CVE-2016-5084

REFERENCES
url:https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump
Trust: 3.6
url:http://www.kb.cert.org/vuls/id/884840
Trust: 2.8
url:https://ics-cert.us-cert.gov/advisories/icsma-16-279-01
Trust: 2.2
url:http://www.kb.cert.org/vuls/id/bluu-a9sqrs
Trust: 1.7
url:http://www.securityfocus.com/bid/93351
Trust: 1.1
url:https://www.animas.com/our-pumps/one-touch-ping
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5084
Trust: 0.8
url:http://jvn.jp/vu/jvnvu95089754/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5084
Trust: 0.8
url:http://www.nsfocus.net/vulndb/34991
Trust: 0.6
url:https://www.animas.com/diabetes-insulin-pump-and-bloog-glucose-meter/onetouch-ping-blood-glucose-monitor
Trust: 0.3
sources:
            
            
            CERT/CC: VU#884840 // 
            
            
            
            VULHUB: VHN-93903 // 
            
            
            
            BID: 93351 // 
            
            
            
            JVNDB: JVNDB-2016-005120 // 
            
            
            
            CNNVD: CNNVD-201610-007 // 
            
            
            
            NVD: CVE-2016-5084

CREDITS
Tod Beardsley of Rapid7.
Trust: 0.3
sources:
            
            
            BID: 93351

SOURCES
db:CERT/CCid:VU#884840
db:VULHUBid:VHN-93903
db:BIDid:93351
db:JVNDBid:JVNDB-2016-005120
db:CNNVDid:CNNVD-201610-007
db:NVDid:CVE-2016-5084

LAST UPDATE DATE
2025-04-13T23:17:51.241000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#884840date:2016-10-11T00:00:00
db:VULHUBid:VHN-93903date:2016-12-24T00:00:00
db:BIDid:93351date:2016-10-10T05:02:00
db:JVNDBid:JVNDB-2016-005120date:2016-10-11T00:00:00
db:CNNVDid:CNNVD-201610-007date:2016-10-09T00:00:00
db:NVDid:CVE-2016-5084date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#884840date:2016-10-04T00:00:00
db:VULHUBid:VHN-93903date:2016-10-05T00:00:00
db:BIDid:93351date:2016-10-04T00:00:00
db:JVNDBid:JVNDB-2016-005120date:2016-10-11T00:00:00
db:CNNVDid:CNNVD-201610-007date:2016-10-09T00:00:00
db:NVDid:CVE-2016-5084date:2016-10-05T10:59:10.640