CVE-2018-8870

Summary

Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.

Affected Software

VendorProductVersion RangeStatus
Medtronic24950 MyCareLink MonitorAll versionsaffected
Medtronic24952 MyCareLink MonitorAll versionsaffected

Weaknesses

  • CWE-259: CWE-259

Workarounds

Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities.  
  • Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system.
  • Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative.

Medtronic has released additional patient focused information, at the following location:

https://www.medtronic.com/security

ADP Enrichment

CVE Program Container

Additional References

References