CVE-2018-8868

03.07.2018, 01:29

Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.2 MEDIUM	PHYSICAL	HIGH	LOW	CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
icscert	CNA	6.2 MEDIUM	PHYSICAL	HIGH	LOW	CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Vendor	Product	Version
medtronic	24950_mycarelink_monitor_firmware	-
medtronic	24952_mycarelink_monitor_firmware	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-749 - Exposed Dangerous Method or Function
The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

References

https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html

https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01