CVE-2021-27491
📋 TL;DR
The Ypsomed mylife Cloud and mobile application disclose password hashes during user registration. This vulnerability allows attackers to obtain password hashes that could be cracked offline, potentially compromising user accounts. All users of mylife Cloud versions prior to 1.7.2 and mylife Mobile Application versions prior to 1.7.5 are affected.
💻 Affected Systems
- Ypsomed mylife Cloud
- Ypsomed mylife Mobile Application
📦 What is this software?
Mylife by Ypsomed
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain password hashes, crack them offline, gain unauthorized access to user accounts, and potentially access sensitive medical data or control medical devices.
Likely Case
Attackers harvest password hashes during registration, crack weak passwords, and compromise user accounts to access personal health information.
If Mitigated
With strong password policies and proper monitoring, impact is limited to potential exposure of hashed credentials requiring significant effort to crack.
🎯 Exploit Status
Exploitation requires intercepting registration traffic or accessing registration endpoints; no authentication needed for registration process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: mylife Cloud: 1.7.2+, mylife App: 1.7.5+
Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsma-21-196-01
Restart Required: Yes
Instructions:
1. Update mylife Cloud to version 1.7.2 or later. 2. Update mylife Mobile Application to version 1.7.5 or later. 3. Restart services after update. 4. Force password resets for all users as precaution.
🔧 Temporary Workarounds
Disable new user registration
allTemporarily disable new user registration to prevent hash disclosure during vulnerable registration process.
Implement network monitoring
allMonitor registration endpoints for unusual traffic patterns or hash extraction attempts.
🧯 If You Can't Patch
- Implement strong password policies requiring complex passwords that are resistant to hash cracking
- Monitor registration endpoints and implement rate limiting to detect and prevent hash harvesting attempts
🔍 How to Verify
Check if Vulnerable:
Check application version: mylife Cloud < 1.7.2 or mylife App < 1.7.5. Monitor registration API responses for password hash disclosure.Check Version:
Check app settings or about section for version information; cloud version typically shown in admin interface.Verify Fix Applied:
Verify version is updated: mylife Cloud ≥ 1.7.2 and mylife App ≥ 1.7.5. Test registration process to confirm password hashes are no longer disclosed.📡 Detection & Monitoring
Log Indicators:
- Unusual registration attempts
- Multiple registration requests from single IP
- Registration API responses containing hash-like strings
Network Indicators:
- HTTP traffic to registration endpoints containing hash values in responses
- Unusual patterns in registration request volume
SIEM Query:
source="registration_api" AND (response_body CONTAINS "$2a$" OR response_body CONTAINS "$2y$" OR response_body CONTAINS "sha256$")