Protection Mechanism Failure in Medtronic NGP 600 Series Insulin Pumps

1) Protection Mechanism Failure

EUVDB-ID: #VU67535

Risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-32537

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user on the local network can learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MiniMed 620G: MMT-1710

MiniMed 630G: MMT-1715 - MMT-1755

MiniMed 640G: MMT-1711 - MMT-1752

MiniMed 670G: MMT-1740 - MMT-1782

CPE2.3

• cpe:2.3:h:medtronic:minimed_620g:MMT-1710:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_630g:MMT-1715:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_630g:MMT-1754:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_630g:MMT-1755:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_640g:MMT-1711:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_640g:MMT-1712:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_640g:MMT-1751:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_670g:MMT-1740:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_670g:MMT-1741:*:*:*:*:*:*:*
• cpe:2.3:h:medtronic:minimed_670g:MMT-1742:*:*:*:*:*:*:*

External links

http://ics-cert.us-cert.gov/advisories/icsma-22-263-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.