#VU24792 Improper access control in Medtronic products - CVE-2019-6538


Vulnerability identifier: #VU24792

Vulnerability risk: Low

CVSSv4.0: 5.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-6538

CWE-ID: CWE-284

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
MyCareLink Monitor
Hardware solutions / Medical equipment
CareLink Monitor
Hardware solutions / Medical equipment
Amplia CRT-D
Hardware solutions / Medical equipment
Claria CRT-D
Hardware solutions / Medical equipment
Compia CRT-D
Hardware solutions / Medical equipment
Concerto CRT-D
Hardware solutions / Medical equipment
Concerto II CRT-D
Hardware solutions / Medical equipment
Consulta CRT-D
Hardware solutions / Medical equipment
Evera ICD
Hardware solutions / Medical equipment
Maximo II CRT-D
Hardware solutions / Medical equipment
Maximo II ICD
Hardware solutions / Medical equipment
Mirro ICD
Hardware solutions / Medical equipment
Nayamed ND ICD
Hardware solutions / Medical equipment
Primo ICD
Hardware solutions / Medical equipment
Protecta ICD
Hardware solutions / Medical equipment
Protecta CRT-D
Hardware solutions / Medical equipment
Secura ICD
Hardware solutions / Medical equipment
Virtuoso ICD
Hardware solutions / Medical equipment
Virtuoso II ICD
Hardware solutions / Medical equipment
Visia AF ICD
Hardware solutions / Medical equipment
Viva CRT-D
Hardware solutions / Medical equipment
Brava CRT-D
Hardware solutions / Medical equipment
Mirro MRI ICD
Hardware solutions / Medical equipment
2090 CareLink Programmer
Hardware solutions / Firmware

Vendor: Medtronic

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the Conexus Radio Frequency Telemetry Protocol. A remote attacker on the local network, when the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

Mitigation

Vendor has developed mitigating patches for the following products:

  • Brava CRT-D, all models                                            
  • Evera MRI ICD, all models
  • Evera ICD, all models
  • Mirro MRI ICD, all models
  • Primo MRI ICD, all models
  • Viva CRT-D, all models

These patches are installed during regular office visits.

Vulnerable software versions

MyCareLink Monitor: 24950 - 24952

CareLink Monitor: 2490C

2090 CareLink Programmer: All versions

Amplia CRT-D: All versions

Claria CRT-D: All versions

Compia CRT-D: All versions

Concerto CRT-D: All versions

Concerto II CRT-D: All versions

Consulta CRT-D: All versions

Evera ICD: All versions

Maximo II CRT-D: All versions

Maximo II ICD: All versions

Mirro ICD: All versions

Nayamed ND ICD: All versions

Primo ICD: All versions

Protecta ICD: All versions

Protecta CRT-D: All versions

Secura ICD: All versions

Virtuoso ICD: All versions

Virtuoso II ICD: All versions

Visia AF ICD: All versions

Viva CRT-D: All versions

Brava CRT-D: All versions

Mirro MRI ICD: All versions

External links
https://www.securityfocus.com/bid/107544
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in several Medtronic products