Vulnerability Name:

CVE-2018-10626

Assigned:2018-08-07
Published:2018-08-07
Updated:2018-08-11
Summary:A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected product's update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
CVSS v3 Severity:4.4 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)
3.9 Low (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.9 Low (CCN CVSS v2 Vector: AV:A/AC:H/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
References:Source: BID
Type: UNKNOWN
105042

Source: XF
Type: UNKNOWN
medtronic-cve201810626-sec-bypass(148098)

Source: MISC
Type: UNKNOWN
https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01

BACK