cnvd - cnvd-2018-12557

CNVD-2018-12557

Vulnerability from cnvd - Published: 2018-07-05

Title

Medtronic 2090 CareLink Programmer设计漏洞

Description

Medtronic 2090 CareLink Programmer是美国Medtronic公司的一套便携式计算机产品。该产品用于在医疗行业中管理心脏设备并进行编程。 Medtronic 2090 CareLink Programmer所有版本中的受影响产品中存在安全漏洞，该漏洞源于产品在使用虚拟专用网络连接来下载安全更新之前，未能验证是否连接到该专用网络。本地攻击者可利用该漏洞影响网络通信。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： http://www.medtronic.com/

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01

Impacted products

Name
Medtronic 2090 Carelink Programmer

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-10596"
    }
  },
  "description": "Medtronic 2090 CareLink Programmer\u662f\u7f8e\u56fdMedtronic\u516c\u53f8\u7684\u4e00\u5957\u4fbf\u643a\u5f0f\u8ba1\u7b97\u673a\u4ea7\u54c1\u3002\u8be5\u4ea7\u54c1\u7528\u4e8e\u5728\u533b\u7597\u884c\u4e1a\u4e2d\u7ba1\u7406\u5fc3\u810f\u8bbe\u5907\u5e76\u8fdb\u884c\u7f16\u7a0b\u3002\r\n\r\nMedtronic 2090 CareLink Programmer\u6240\u6709\u7248\u672c\u4e2d\u7684\u53d7\u5f71\u54cd\u4ea7\u54c1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u5728\u4f7f\u7528\u865a\u62df\u4e13\u7528\u7f51\u7edc\u8fde\u63a5\u6765\u4e0b\u8f7d\u5b89\u5168\u66f4\u65b0\u4e4b\u524d\uff0c\u672a\u80fd\u9a8c\u8bc1\u662f\u5426\u8fde\u63a5\u5230\u8be5\u4e13\u7528\u7f51\u7edc\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5f71\u54cd\u7f51\u7edc\u901a\u4fe1\u3002",
  "discovererName": "Billy Rios and Jonathan Butts of Whitescope LLC",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttp://www.medtronic.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-12557",
  "openTime": "2018-07-05",
  "products": {
    "product": "Medtronic 2090 Carelink Programmer"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01",
  "serverity": "\u4e2d",
  "submitTime": "2018-07-05",
  "title": "Medtronic 2090 CareLink Programmer\u8bbe\u8ba1\u6f0f\u6d1e"
}

CVE-2018-10596 (GCVE-0-2018-10596)

Vulnerability from cvelistv5 – Published: 2018-07-02 18:00 – Updated: 2025-05-22 17:36

Summary

Medtronic 2090 CareLink Programmer uses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based VPN connection to a Medtronic-hosted update network. Once the VPN is established, it makes a request to a HTTP (non-TLS) server across the VPN for updates, which responds and provides any available updates. The programmer-side (client) service responsible for this HTTP request does not check to ensure it is still connected to the VPN before making the HTTP request. Thus, an attacker could cause the VPN connection to terminate (through various methods and attack points) and intercept the HTTP request, responding with malicious updates via a man-in-the-middle attack. The affected products do not verify the origin or integrity of these updates, as it insufficiently relied on the security of the VPN. An attacker with remote network access to the programmer could influence these communications.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-923

Assigner

icscert

References

URL

Tags

	https://global.medtronic.com/xg-en/product-securi…
	https://www.cisa.gov/news-events/ics-medical-advi…

Impacted products

Vendor

Product

Version

Medtronic

2090 CareLink Programmer

Affected: All versions

Medtronic

29901 Encore Programmer

Affected: All versions

Credits

Billy Rios and Jonathan Butts of Whitescope LLC identified these vulnerabilities and reported them to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:39:08.248Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "2090 CareLink Programmer",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "29901 Encore Programmer",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Billy Rios and Jonathan Butts of Whitescope LLC identified these vulnerabilities and reported them to CISA."
        }
      ],
      "datePublic": "2018-06-29T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMedtronic 2090 CareLink Programmer \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003euses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based VPN connection to a Medtronic-hosted update network. Once the VPN is established, it makes a request to a HTTP (non-TLS) server across the VPN for updates, which responds and provides any available updates. The programmer-side (client) service responsible for this HTTP request does not check to ensure it is still connected to the VPN before making the HTTP request. Thus, an attacker could cause the VPN connection to terminate (through various methods and attack points) and intercept the HTTP request, responding with malicious updates via a man-in-the-middle attack. The affected products do not verify the origin or integrity of these updates, as it insufficiently relied on the security of the VPN. An attacker with remote network access to the programmer could influence these communications.\u003c/span\u003e\n\n\u003c/p\u003e"
            }
          ],
          "value": "Medtronic 2090 CareLink Programmer \n\nuses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based VPN connection to a Medtronic-hosted update network. Once the VPN is established, it makes a request to a HTTP (non-TLS) server across the VPN for updates, which responds and provides any available updates. The programmer-side (client) service responsible for this HTTP request does not check to ensure it is still connected to the VPN before making the HTTP request. Thus, an attacker could cause the VPN connection to terminate (through various methods and attack points) and intercept the HTTP request, responding with malicious updates via a man-in-the-middle attack. The affected products do not verify the origin or integrity of these updates, as it insufficiently relied on the security of the VPN. An attacker with remote network access to the programmer could influence these communications."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-923",
              "description": "CWE-923",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T17:36:04.656Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-2090-29901.html"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-058-01"
        }
      ],
      "source": {
        "advisory": "ICSMA-18-058-01",
        "discovery": "EXTERNAL"
      },
      "title": "Medtronic 2090 Carelink Programmer Improper Restriction of Communication Channel to Intended Endpoints",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMedtronic has assessed the vulnerabilities and determined that no new potential safety risks were identified. In order to enhance system security, Medtronic has added periodic integrity checks for files associated with the software deployment network. Additionally, Medtronic has developed server-side security changes that further enhance security. Medtronic reports that they will not be issuing a product update; however, Medtronic has identified compensating controls within this advisory to reduce the risk of exploitation and reiterates the following from the CareLink 2090 Programmer Reference Manual:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain good physical controls over the programmer. Having a secure physical environment prevents access to the internals of the programmer.\u003c/li\u003e\u003cli\u003eOnly connect the programmer to managed, secure networks.\u003c/li\u003e\u003cli\u003eUpdate the software on the programmer when Medtronic updates are available.\u003c/li\u003e\u003cli\u003eAlternatively, disconnect the programmer from the network. Network connectivity is not required for normal programmer operation. \u003c/li\u003e\u003cli\u003eOffline updates are available, contact your Medtronic representative for more information.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eMedtronic has deployed mitigating patches to address the reported vulnerabilities. Medtronic has also stated that they have increased security controls associated with these vulnerabilities. As a result of the available mitigating patches, Medtronic has re-enabled the network-based software update mechanism.\u003c/p\u003e\u003cp\u003eMedtronic has stated that the patch for affected products can be obtained by contacting Medtronic Technical Services at 800\u2011638\u20111991.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eAfter additional review and risk evaluation of the affected products, Medtronic has disabled the network-based software update mechanism, including both the VPN and the HTTP subservices, as an immediate security mitigation. Users should not attempt to update the affected products over the network as this update mechanism is vulnerable to the attack described in section 4.2.3. Medtronic will continue to implement and deploy increased security protections and mitigations to address the vulnerabilities in this advisory.\u003c/p\u003e\u003cp\u003eUsers should still obtain and apply updates via controlled USB dongles and should contact their Medtronic representative for more information.\u003c/p\u003e\u003cp\u003eMedtronic recommends that affected products continue to be used for their intended purpose in the previously described manner.\u003cbr\u003e\u003cbr\u003eMedtronic has released a security bulletin for the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003e2090 CareLink Programmer\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Medtronic has assessed the vulnerabilities and determined that no new potential safety risks were identified. In order to enhance system security, Medtronic has added periodic integrity checks for files associated with the software deployment network. Additionally, Medtronic has developed server-side security changes that further enhance security. Medtronic reports that they will not be issuing a product update; however, Medtronic has identified compensating controls within this advisory to reduce the risk of exploitation and reiterates the following from the CareLink 2090 Programmer Reference Manual:\n\n  *  Maintain good physical controls over the programmer. Having a secure physical environment prevents access to the internals of the programmer.\n  *  Only connect the programmer to managed, secure networks.\n  *  Update the software on the programmer when Medtronic updates are available.\n  *  Alternatively, disconnect the programmer from the network. Network connectivity is not required for normal programmer operation. \n  *  Offline updates are available, contact your Medtronic representative for more information.\n\n\nMedtronic has deployed mitigating patches to address the reported vulnerabilities. Medtronic has also stated that they have increased security controls associated with these vulnerabilities. As a result of the available mitigating patches, Medtronic has re-enabled the network-based software update mechanism.\n\nMedtronic has stated that the patch for affected products can be obtained by contacting Medtronic Technical Services at 800\u2011638\u20111991.\n\n\nAfter additional review and risk evaluation of the affected products, Medtronic has disabled the network-based software update mechanism, including both the VPN and the HTTP subservices, as an immediate security mitigation. Users should not attempt to update the affected products over the network as this update mechanism is vulnerable to the attack described in section 4.2.3. Medtronic will continue to implement and deploy increased security protections and mitigations to address the vulnerabilities in this advisory.\n\nUsers should still obtain and apply updates via controlled USB dongles and should contact their Medtronic representative for more information.\n\nMedtronic recommends that affected products continue to be used for their intended purpose in the previously described manner.\n\nMedtronic has released a security bulletin for the  2090 CareLink Programmer https://www.medtronic.com/security ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2018-06-29T00:00:00",
          "ID": "CVE-2018-10596",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Medtronic 2090 CareLink Programmer",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2090 CareLink Programmer, all versions."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ICS-CERT"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Medtronic 2090 CareLink Programmer all versions The affected product uses a virtual private network connection to securely download updates. The product does not verify it is still connected to this virtual private network before downloading updates. An attacker with local network access to the programmer could influence these communications."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER RESTRICTION OF COMMUNICATION CHANNEL TO INTENDED ENDPOINTS CWE-923"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2018-10596",
    "datePublished": "2018-07-02T18:00:00Z",
    "dateReserved": "2018-05-01T00:00:00",
    "dateUpdated": "2025-05-22T17:36:04.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-12557

CVE-2018-10596 (GCVE-0-2018-10596)

Tags

Sightings

Nomenclature