Lucene search

IcscertCVE-2018-8868

HistoryJul 03, 2018 - 1:29 a.m.

CVE-2018-8868

2018-07-0301:29:01

CWE-749

icscert

web.nvd.nist.gov

medtronic mycarelink

patient monitor

debug functionality

unauthorized access

implantable cardiac devices

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS3

6.4

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions, contains debug code meant to test the functionality of the monitor’s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can apply the other vulnerabilities within this advisory to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.

Affected configurations

Nvd

Node

medtronic24950_mycarelink_monitor_firmwareMatch-

AND

medtronic24950_mycarelink_monitorMatch-

Node

medtronic24952_mycarelink_monitor_firmwareMatch-

AND

medtronic24952_mycarelink_monitorMatch-

VendorProductVersionCPE
medtronic24950_mycarelink_monitor_firmware-cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*
medtronic24950_mycarelink_monitor-cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*
medtronic24952_mycarelink_monitor_firmware-cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*
medtronic24952_mycarelink_monitor-cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
medtronic	24950_mycarelink_monitor_firmware	-	cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:::::::*
medtronic	24950_mycarelink_monitor	-	cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:::::::*
medtronic	24952_mycarelink_monitor_firmware	-	cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:::::::*
medtronic	24952_mycarelink_monitor	-	cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:::::::*

CNA Affected

[
  {
    "product": "Medtronic MyCareLink Patient Monitor",
    "vendor": "ICS-CERT",
    "versions": [
      {
        "status": "affected",
        "version": "24950 MyCareLink Monitor, all versions, 24952 MyCareLink Monitor, all versions."
      }
    ]
  }
]

References

ics-cert.us-cert.gov/advisories/ICSMA-18-179-01

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS3

6.4

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

Related for CVE-2018-8868