FKIE_CVE-2018-8868

Vulnerability from fkie_nvd - Published: 2018-07-03 01:29 - Updated: 2025-05-22 19:15
Severity ?
6.2 (Medium) - CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Summary
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.
References
ics-cert@hq.dhs.govhttps://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html
ics-cert@hq.dhs.govhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01Third Party Advisory, US Government Resource
Impacted products
Vendor Product Version
medtronic 24950_mycarelink_monitor_firmware -
medtronic 24950_mycarelink_monitor -
medtronic 24952_mycarelink_monitor_firmware -
medtronic 24952_mycarelink_monitor -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "778EB98D-C77A-4C81-B7AD-848C335B850D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8F046CD-32D6-44D1-AB08-D81B3942CB78",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C9FE79C-C221-4E6B-A687-74A5D7A85EFA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2B146EC-2D18-430C-81B5-6F7D4328BB91",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor\u0027s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality."
    },
    {
      "lang": "es",
      "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor en todas sus versiones y 24952 MyCareLink Monitor en todas sus versiones, contienen c\u00f3digo de depuraci\u00f3n destinado a probar la funcionalidad de las interfaces de comunicaci\u00f3n del monitor, incluida la interfaz entre el monitor y el dispositivo card\u00edaco implantable. Un atacante con acceso f\u00edsico al dispositivo puede aplicar las otras vulnerabilidades dentro de este advisory para acceder a esta funcionalidad de depuraci\u00f3n. Esta funcionalidad de depuraci\u00f3n proporciona la capacidad de leer y escribir valores de memoria arbitrarios en dispositivos card\u00edacos implantables mediante protocolos inal\u00e1mbricos inductivos o de corto alcance. Un atacante con proximidad f\u00edsica cercana a un dispositivo card\u00edaco implantable objetivo puede utilizar esta funcionalidad de depuraci\u00f3n."
    }
  ],
  "id": "CVE-2018-8868",
  "lastModified": "2025-05-22T19:15:22.013",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 6.9,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "LOW",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.4,
        "impactScore": 5.3,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2018-07-03T01:29:01.877",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-749"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.