CVE-2018-10626
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Medtronic | 24950 MyCareLink Monitor | All versions | affected |
| Medtronic | 24952 MyCareLink Monitor | All versions | affected |
Weaknesses
- CWE-345: CWE-345 Insufficient Verification of Data Authenticity
Workarounds
Medtronic has made server-side updates to address this insufficient verification vulnerability. Medtronic is implementing additional server-side mitigations to enhance data integrity and authenticity. Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:
- Maintain good physical control over the home monitor.
- Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. Medtronic has released additional patient focused information, at the following location:
https://www.medtronic.com/security Users should follow CISA's guidance in the following areas:
Securing the Internet of Things https://www.cisa.gov/news-events/news/securing-internet-things-iot
Home Network Security https://www.cisa.gov/news-events/news/home-network-security
ADP Enrichment
CVE Program Container
Additional References
References
- https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html
- http://www.securityfocus.com/bid/105042
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2018/icsma-18-219-01.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.