PT-2019-9682 · Ascensia · Ascensia Contour Next One

Published

2019-05-06

Updated

2020-08-24

CVE-2018-18978

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Ascensia Contour NEXT ONE application for Android versions prior to 2019-01-15

Description The issue concerns a statically coded encryption key in the application. This key can be extracted, allowing an attacker to decipher communications between the application and the backend server. If combined with another vulnerability that allows access to encrypted user data from the Ascensia cloud, an attacker could obtain and modify patient medical information.

Recommendations For versions prior to 2019-01-15, update the application to a version released after 2019-01-15 to ensure the encryption key is no longer statically coded and to mitigate the risk of data modification.

Exploit

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2018-18978

Affected Products

Ascensia Contour Next One

PT-2019-9682 · Ascensia · Ascensia Contour Next One

CVE-2018-18978

Weakness Enumeration

Related Identifiers

Affected Products

References · 3