Vulnerabilities were identified in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server and pertinent advisories were issued.
Inappropriate Access Control Discovered in Insulet Omnipod Insulin Management System
ThirdwayV Inc. has identified a high severity vulnerability present in the Omnipod Insulin Management System which an attacker could exploit to access the Pod of a vulnerable insulin pump and intercept and alter information, adjust insulin pump settings, and manipulate insulin delivery.
The vulnerable insulin pumps correspond with an Insulet built Personal Diabetes Manager device utilizing wireless RF. The researchers found that the RF communication protocol doesn’t enforce authentication or authorization appropriately.
The vulnerability affected the following versions:
- UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)
- Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160
The vulnerability is monitored as CVE-2020-10597 and has a designated CVSS v3 base rating of 7.3 of 10. No incidents of vulnerability exploitation were reported.
Patients must not link any third-party devices or utilize the unapproved software program and must be mindful of pump signals and alarms. Patients ought to keep track of their blood glucose levels properly and any unintentional boluses must be canceled immediately. Insulet advises updating to the most recent version of the insulin pump with more cybersecurity protections.
Patients utilizing a vulnerable product were cautioned to get in touch with Insulet Customer Care or a healthcare professional for more information regarding the risk presented by the vulnerability.
Systech NDS-5000 Terminal Server Found With Cross-Site Scripting Vulnerability
A cross-site scripting vulnerability was discovered in NDS-5000 Terminal Server that an attacker could exploit to carry out privileged action for the users, view sensitive information, restrict system accessibility, and possibly remotely implement arbitrary code. An attacker with a low level of skill can exploit the vulnerability remotely.
The vulnerability is monitored as CVE-2020-7006 and has a designated CVSS v3 base rating of 6.8 of 10 (medium severity). The vulnerability impacts NDS/5008 (8 Port, RJ45), DS-5000 Terminal Server and firmware Version 02D.30. The vulnerability has been fixed in firmware version 02F.6.
Consumers of the vulnerable product must get in touch with Systech Technical Support for more information on upgrading the software to avoid exploitation.
Critical Infrastructure Penetration Test Specialist Murat Aydemir of Biznet Bilisim A.S. identified the vulnerability.