Vulnerability-Lookup

CNVD-2018-19605

Vulnerability from cnvd - Published: 2018-09-21

Title

多款Medtronic产品信息泄露漏洞

Description

Medtronic MMT-508 MiniMed insulin pump等都是美国Medtronic公司的不同型号的胰岛素泵。多款Medtronic产品存在信息泄露漏洞，攻击者可在配对远程控制器并启用‘easy bolus’和‘remote bolus’选项时，利用该漏洞捕获控制器和pump之间传递的信息并进行胰岛素注射。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： http://www.medtronic.com/us-en/index.html

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02

Impacted products

Name
['Medtronic MMT - 551 / MMT - 751 MiniMed 530G', 'Medtronic MMT - 523K / MMT - 723K Paradigm Revel', 'Medtronic MMT - 523 / MMT - 723 Paradigm Revel', 'Medtronic MMT - 522 / MMT - 722 Paradigm REAL-TIME', 'Medtronic MMT - 508 MiniMed insulin pump']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-14781"
    }
  },
  "description": "Medtronic MMT-508 MiniMed insulin pump\u7b49\u90fd\u662f\u7f8e\u56fdMedtronic\u516c\u53f8\u7684\u4e0d\u540c\u578b\u53f7\u7684\u80f0\u5c9b\u7d20\u6cf5\u3002\r\n\r\n\u591a\u6b3eMedtronic\u4ea7\u54c1\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5728\u914d\u5bf9\u8fdc\u7a0b\u63a7\u5236\u5668\u5e76\u542f\u7528\u2018easy bolus\u2019\u548c\u2018remote bolus\u2019\u9009\u9879\u65f6\uff0c\u5229\u7528\u8be5\u6f0f\u6d1e\u6355\u83b7\u63a7\u5236\u5668\u548cpump\u4e4b\u95f4\u4f20\u9012\u7684\u4fe1\u606f\u5e76\u8fdb\u884c\u80f0\u5c9b\u7d20\u6ce8\u5c04\u3002",
  "discovererName": "Billy Rios, Jesse Young, and Jonathan Butts",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttp://www.medtronic.com/us-en/index.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-19605",
  "openTime": "2018-09-21",
  "products": {
    "product": [
      "Medtronic MMT - 551 / MMT - 751 MiniMed 530G",
      "Medtronic MMT - 523K / MMT - 723K Paradigm Revel",
      "Medtronic MMT - 523 / MMT - 723 Paradigm Revel",
      "Medtronic MMT - 522 / MMT - 722 Paradigm REAL-TIME",
      "Medtronic MMT - 508 MiniMed insulin pump"
    ]
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02",
  "serverity": "\u4e2d",
  "submitTime": "2018-08-14",
  "title": "\u591a\u6b3eMedtronic\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2018-14781 (GCVE-0-2018-14781)

Vulnerability from cvelistv5 – Published: 2018-08-13 22:00 – Updated: 2025-05-22 16:33

Title

Medtronic MiniMed MMT-500/MMT-503 Remote Controllers Authentication Bypass by Capture-replay

Summary

Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-294 - Authentication Bypass by Capture-replay

Assigner

icscert

References

URL

Tags

	https://global.medtronic.com/xg-en/product-securi…
	https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02
	http://www.securityfocus.com/bid/105044	vdb-entry

Impacted products

Vendor

Product

Version

Medtronic

MMT- 508 - MiniMed pump

Affected: All versions

Medtronic	MMT – 511 pump Paradigm	Affected: All versions
Medtronic	MMT – 512 / MMT – 712 Paradigm x12	Affected: All versions
Medtronic	MMT – 515 / MMT – 715 Paradigm x15	Affected: All versions
Medtronic	MMT – 522 / MMT – 722 Paradigm REAL-TIME	Affected: All versions
Medtronic	MMT – 522(K) / MMT – 722(K) Paradigm REAL-TIME	Affected: All versions
Medtronic	MMT – 523 / MMT – 723 Paradigm Revel	Affected: All versions
Medtronic	MMT – 523(K) / MMT – 723(K) Paradigm	Affected: All versions
Medtronic	MMT – 554 / MMT – 754 MiniMed Veo	Affected: All versions
Medtronic	MMT – 551 / MMT – 751 MiniMed 530G	Affected: All versions

Credits

Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC reported these vulnerabilities to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:38:13.831Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02"
          },
          {
            "name": "105044",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105044"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MMT- 508 - MiniMed pump",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 511 pump Paradigm",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 512 / MMT \u2013 712 Paradigm x12",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 515 / MMT \u2013 715 Paradigm x15",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 522 / MMT \u2013 722 Paradigm REAL-TIME",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 522(K) / MMT \u2013 722(K) Paradigm REAL-TIME",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 523 / MMT \u2013 723 Paradigm Revel",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 523(K) / MMT \u2013 723(K) Paradigm",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 554 / MMT \u2013 754 MiniMed Veo",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MMT \u2013 551 / MMT \u2013 751 MiniMed 530G",
          "vendor": "Medtronic",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2018-08-08T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMedtronic MiniMed MMT \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edevices when paired with a remote controller and having the \u201ceasy bolus\u201d and \u201cremote bolus\u201d options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/p\u003e"
            }
          ],
          "value": "Medtronic MiniMed MMT \n\ndevices when paired with a remote controller and having the \u201ceasy bolus\u201d and \u201cremote bolus\u201d options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-294",
              "description": "CWE-294 Authentication Bypass by Capture-replay",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T16:33:08.385Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed.html"
        },
        {
          "name": "105044",
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "http://www.securityfocus.com/bid/105044"
        }
      ],
      "source": {
        "advisory": "ICSMA-18-219-02",
        "discovery": "EXTERNAL"
      },
      "title": "Medtronic MiniMed MMT-500/MMT-503 Remote Controllers Authentication Bypass by Capture-replay",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe remote option is turned off in the pump by default. \u0026nbsp;\u003c/p\u003e\u003cp\u003eMedtronic is directing all users to stop using their remote controllers, disable the remote option on their insulin pump, and to return the remote controllers to Medtronic. \u003c/p\u003e\u003cp\u003eMedtronic has released \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003eadditional patient focused information\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eAdditionally, Medtronic will be sending a letter to patients who may still be actively using the remotes in order to inform patients about these security risks, and request patients stop using the remote and return them to Medtronic. \u003c/p\u003e"
            }
          ],
          "value": "The remote option is turned off in the pump by default. \u00a0\n\nMedtronic is directing all users to stop using their remote controllers, disable the remote option on their insulin pump, and to return the remote controllers to Medtronic. \n\nMedtronic has released  additional patient focused information https://www.medtronic.com/security .\n\nAdditionally, Medtronic will be sending a letter to patients who may still be actively using the remotes in order to inform patients about these security risks, and request patients stop using the remote and return them to Medtronic."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2018-08-08T00:00:00",
          "ID": "CVE-2018-10634",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Medtronic insulin pump",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ICS-CERT"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G communications between the pump and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02"
            },
            {
              "name": "105044",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105044"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2018-14781",
    "datePublished": "2018-08-13T22:00:00Z",
    "dateReserved": "2018-08-01T00:00:00",
    "dateUpdated": "2025-05-22T16:33:08.385Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-19605

CVE-2018-14781 (GCVE-0-2018-14781)

Tags

Sightings

Nomenclature