Sign-up

ID

VAR-201610-0162


CVE

CVE-2016-5086


TITLE

Animas OneTouch Ping insulin pump contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#884840

DESCRIPTION

Johnson & Johnson Animas OneTouch Ping devices allow remote attackers to bypass authentication via replay attacks. The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device. The attacker cannot obtain personally identifiable information. In addition, JVNVU#95089754 Then CWE-294 It is published as https://cwe.mitre.org/data/definitions/294.htmlReflex attack by a third party ( Replay attack ) Authentication may be bypassed. Animas OneTouch Ping is prone to the following security vulnerabilities: 1. An information-disclosure vulnerability 2. Multiple security-bypass vulnerabilities 3. A Spoofing vulnerability An attacker can exploit these vulnerabilities to obtain sensitive information, bypass security restrictions, and perform certain unauthorized actions and to insert and display spoofed content. Other attacks are also possible. Animas OneTouch Ping is a medical self-service device for diabetic patients taking insulin from Animas Company of the United States

Trust: 2.7

sources: NVD: CVE-2016-5086 // CERT/CC: VU#884840 // JVNDB: JVNDB-2016-005122 // BID: 93351 // VULHUB: VHN-93905

AFFECTED PRODUCTS

vendor:animasmodel:onetouch pingscope: - version: -

Trust: 1.6

vendor:animasmodel:onetouch pingscope:eqversion: -

Trust: 1.6

vendor:johnson johnsonmodel: - scope: - version: -

Trust: 0.8

vendor:animasmodel:onetouch pingscope:eqversion:0

Trust: 0.3

sources: CERT/CC: VU#884840 // BID: 93351 // JVNDB: JVNDB-2016-005122 // CNNVD: CNNVD-201610-005 // NVD: CVE-2016-5086

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5086
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-5086
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201610-005
value: CRITICAL

Trust: 0.6

VULHUB: VHN-93905
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-5086
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-93905
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5086
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-93905 // JVNDB: JVNDB-2016-005122 // CNNVD: CNNVD-201610-005 // NVD: CVE-2016-5086

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-93905 // JVNDB: JVNDB-2016-005122 // NVD: CVE-2016-5086

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-005

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201610-005

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-005122

PATCH
title:OneTouch Ping Glucose Management Systemurl:https://www.animas.com/diabetes-insulin-pump-and-bloog-glucose-meter/onetouch-ping-blood-glucose-monitor
Trust: 0.8
title:Important Information about the cybersecurity of your OneTouch Ping Insulin Infusion Pumpurl:https://www.animas.com/sites/default/files/pdf/FINAL%20Letter%20to%20patients%20regarding%20OTP_10.04.16.16_WEB%20VERSION.PDF
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-005122

EXTERNAL IDS
db:CERT/CCid:VU#884840
Trust: 3.6
db:NVDid:CVE-2016-5086
Trust: 2.8
db:ICS CERTid:ICSMA-16-279-01
Trust: 2.2
db:BIDid:93351
Trust: 1.4
db:JVNid:JVNVU95089754
Trust: 0.8
db:JVNDBid:JVNDB-2016-005122
Trust: 0.8
db:CNNVDid:CNNVD-201610-005
Trust: 0.7
db:NSFOCUSid:34993
Trust: 0.6
db:VULHUBid:VHN-93905
Trust: 0.1
sources:
            
            
            CERT/CC: VU#884840 // 
            
            
            
            VULHUB: VHN-93905 // 
            
            
            
            BID: 93351 // 
            
            
            
            JVNDB: JVNDB-2016-005122 // 
            
            
            
            CNNVD: CNNVD-201610-005 // 
            
            
            
            NVD: CVE-2016-5086

REFERENCES
url:https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump
Trust: 3.6
url:http://www.kb.cert.org/vuls/id/884840
Trust: 2.8
url:https://ics-cert.us-cert.gov/advisories/icsma-16-279-01
Trust: 2.2
url:http://www.kb.cert.org/vuls/id/bluu-a9sqrs
Trust: 1.7
url:http://www.securityfocus.com/bid/93351
Trust: 1.1
url:https://www.animas.com/our-pumps/one-touch-ping
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5086
Trust: 0.8
url:http://jvn.jp/vu/jvnvu95089754/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5086
Trust: 0.8
url:http://www.nsfocus.net/vulndb/34993
Trust: 0.6
url:https://www.animas.com/diabetes-insulin-pump-and-bloog-glucose-meter/onetouch-ping-blood-glucose-monitor
Trust: 0.3
sources:
            
            
            CERT/CC: VU#884840 // 
            
            
            
            VULHUB: VHN-93905 // 
            
            
            
            BID: 93351 // 
            
            
            
            JVNDB: JVNDB-2016-005122 // 
            
            
            
            CNNVD: CNNVD-201610-005 // 
            
            
            
            NVD: CVE-2016-5086

CREDITS
Tod Beardsley of Rapid7.
Trust: 0.3
sources:
            
            
            BID: 93351

SOURCES
db:CERT/CCid:VU#884840
db:VULHUBid:VHN-93905
db:BIDid:93351
db:JVNDBid:JVNDB-2016-005122
db:CNNVDid:CNNVD-201610-005
db:NVDid:CVE-2016-5086

LAST UPDATE DATE
2025-04-13T23:17:51.208000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#884840date:2016-10-11T00:00:00
db:VULHUBid:VHN-93905date:2016-12-24T00:00:00
db:BIDid:93351date:2016-10-10T05:02:00
db:JVNDBid:JVNDB-2016-005122date:2016-10-11T00:00:00
db:CNNVDid:CNNVD-201610-005date:2016-10-09T00:00:00
db:NVDid:CVE-2016-5086date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#884840date:2016-10-04T00:00:00
db:VULHUBid:VHN-93905date:2016-10-05T00:00:00
db:BIDid:93351date:2016-10-04T00:00:00
db:JVNDBid:JVNDB-2016-005122date:2016-10-11T00:00:00
db:CNNVDid:CNNVD-201610-005date:2016-10-09T00:00:00
db:NVDid:CVE-2016-5086date:2016-10-05T10:59:12.923