Multiple vulnerabilities in several Medtronic products

Published: 2019-03-25 | Updated: 2020-01-31

Risk	Low
Patch available	NO
Number of vulnerabilities	2
CVE-ID	CVE-2019-6540 CVE-2019-6538
CWE-ID	CWE-319 CWE-284
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software	MyCareLink Monitor Hardware solutions / Medical equipment CareLink Monitor Hardware solutions / Medical equipment Amplia CRT-D Hardware solutions / Medical equipment Claria CRT-D Hardware solutions / Medical equipment Compia CRT-D Hardware solutions / Medical equipment Concerto CRT-D Hardware solutions / Medical equipment Concerto II CRT-D Hardware solutions / Medical equipment Consulta CRT-D Hardware solutions / Medical equipment Evera ICD Hardware solutions / Medical equipment Maximo II CRT-D Hardware solutions / Medical equipment Maximo II ICD Hardware solutions / Medical equipment Mirro ICD Hardware solutions / Medical equipment Nayamed ND ICD Hardware solutions / Medical equipment Primo ICD Hardware solutions / Medical equipment Protecta ICD Hardware solutions / Medical equipment Protecta CRT-D Hardware solutions / Medical equipment Secura ICD Hardware solutions / Medical equipment Virtuoso ICD Hardware solutions / Medical equipment Virtuoso II ICD Hardware solutions / Medical equipment Visia AF ICD Hardware solutions / Medical equipment Viva CRT-D Hardware solutions / Medical equipment Brava CRT-D Hardware solutions / Medical equipment Mirro MRI ICD Hardware solutions / Medical equipment 2090 CareLink Programmer Hardware solutions / Firmware
Vendor	Medtronic

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Updated 31.01.2020

Updated list of vulnerable and patched devices.

1) Cleartext transmission of sensitive information

EUVDB-ID: #VU24793

Risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-6540

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the Conexus telemetry protocol uses insecure communication channel to transmit sensitive information. A remote attacker on the local network with ability to intercept network traffic can gain access to sensitive data.

Mitigation

Vendor has developed mitigating patches for the following products:

Brava CRT-D, all models
Evera MRI ICD, all models
Evera ICD, all models
Mirro MRI ICD, all models
Primo MRI ICD, all models
Viva CRT-D, all models

These patches are installed during regular office visits.

Vulnerable software versions

MyCareLink Monitor: 24950 - 24952

CareLink Monitor: 2490C

2090 CareLink Programmer: All versions

Amplia CRT-D: All versions

Claria CRT-D: All versions

Compia CRT-D: All versions

Concerto CRT-D: All versions

Concerto II CRT-D: All versions

Consulta CRT-D: All versions

Evera ICD: All versions

Maximo II CRT-D: All versions

Maximo II ICD: All versions

Mirro ICD: All versions

Nayamed ND ICD: All versions

Primo ICD: All versions

Protecta ICD: All versions

Protecta CRT-D: All versions

Secura ICD: All versions

Virtuoso ICD: All versions

Virtuoso II ICD: All versions

Visia AF ICD: All versions

Viva CRT-D: All versions

Brava CRT-D: All versions

Mirro MRI ICD: All versions

CPE2.3

External links

https://www.securityfocus.com/bid/107544
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU24792

Risk: Low

CVSSv4.0: 5.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-6538

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the Conexus Radio Frequency Telemetry Protocol. A remote attacker on the local network, when the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

Mitigation

Vendor has developed mitigating patches for the following products:

Brava CRT-D, all models
Evera MRI ICD, all models
Evera ICD, all models
Mirro MRI ICD, all models
Primo MRI ICD, all models
Viva CRT-D, all models

These patches are installed during regular office visits.

Vulnerable software versions

MyCareLink Monitor: 24950 - 24952

CareLink Monitor: 2490C

2090 CareLink Programmer: All versions

Amplia CRT-D: All versions

Claria CRT-D: All versions

Compia CRT-D: All versions

Concerto CRT-D: All versions

Concerto II CRT-D: All versions

Consulta CRT-D: All versions

Evera ICD: All versions

Maximo II CRT-D: All versions

Maximo II ICD: All versions

Mirro ICD: All versions

Nayamed ND ICD: All versions

Primo ICD: All versions

Protecta ICD: All versions

Protecta CRT-D: All versions

Secura ICD: All versions

Virtuoso ICD: All versions

Virtuoso II ICD: All versions

Visia AF ICD: All versions

Viva CRT-D: All versions

Brava CRT-D: All versions

Mirro MRI ICD: All versions

CPE2.3

External links

https://www.securityfocus.com/bid/107544
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.