CVE-2018-10626

Summary

Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.

Affected Software

VendorProductVersion RangeStatus
Medtronic24950 MyCareLink MonitorAll versionsaffected
Medtronic24952 MyCareLink MonitorAll versionsaffected

Weaknesses

  • CWE-345: CWE-345 Insufficient Verification of Data Authenticity

Workarounds

Medtronic has made server-side updates to address this insufficient verification vulnerability. Medtronic is implementing additional server-side mitigations to enhance data integrity and authenticity. Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:

  • Maintain good physical control over the home monitor.
  • Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. Medtronic has released additional patient focused information, at the following location:

https://www.medtronic.com/security Users should follow CISA's guidance in the following areas:

ADP Enrichment

CVE Program Container

Additional References

References