Lucene search

[email protected]CVE-2019-6538

HistoryMar 25, 2019 - 10:29 p.m.

CVE-2019-6538

2019-03-2522:29:00

CWE-862

CWE-306

[email protected]

web.nvd.nist.gov

cve-2019-6538

medtronic

mycarelink monitor

conexus

telemetry protocol

unauthorized access

data manipulation

implanted cardiac devices

nvd

6.5 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.4 Medium

AI Score

Confidence

High

3.3 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

24.6%

JSON

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

CPENameOperatorVersion
medtronic:mycarelink_monitor_firmwaremedtronic mycarelink monitor firmwareeq24950
medtronic:mycarelink_monitor_firmwaremedtronic mycarelink monitor firmwareeq24952
medtronic:carelink_monitor_firmwaremedtronic carelink monitor firmwareeq2490c
medtronic:carelink_2090_firmwaremedtronic carelink 2090 firmwareeq-
medtronic:amplia_crt-d_firmwaremedtronic amplia crt-d firmwareeq-
medtronic:claria_crt-d_firmwaremedtronic claria crt-d firmwareeq-
medtronic:compia_crt-d_firmwaremedtronic compia crt-d firmwareeq-
medtronic:concerto_crt-d_firmwaremedtronic concerto crt-d firmwareeq-
medtronic:concerto_ii_crt-d_firmwaremedtronic concerto ii crt-d firmwareeq-
medtronic:consulta_crt-d_firmwaremedtronic consulta crt-d firmwareeq-

CPE	Name	Operator	Version
medtronic:mycarelink_monitor_firmware	medtronic mycarelink monitor firmware	eq	24950
medtronic:mycarelink_monitor_firmware	medtronic mycarelink monitor firmware	eq	24952
medtronic:carelink_monitor_firmware	medtronic carelink monitor firmware	eq	2490c
medtronic:carelink_2090_firmware	medtronic carelink 2090 firmware	eq	-
medtronic:amplia_crt-d_firmware	medtronic amplia crt-d firmware	eq	-
medtronic:claria_crt-d_firmware	medtronic claria crt-d firmware	eq	-
medtronic:compia_crt-d_firmware	medtronic compia crt-d firmware	eq	-
medtronic:concerto_crt-d_firmware	medtronic concerto crt-d firmware	eq	-
medtronic:concerto_ii_crt-d_firmware	medtronic concerto ii crt-d firmware	eq	-
medtronic:consulta_crt-d_firmware	medtronic consulta crt-d firmware	eq	-

Rows per page:

1-10 of 211

References

www.securityfocus.com/bid/107544

ics-cert.us-cert.gov/advisories/ICSMA-19-080-01

6.5 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.4 Medium

AI Score

Confidence

High

3.3 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

24.6%

JSON

Related for CVE-2019-6538

prion1 thn1 ics1 threatpost2