CVE-2018-8870
6.4
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Medtronic | 24950 MyCareLink Monitor | All versions | affected |
| Medtronic | 24952 MyCareLink Monitor | All versions | affected |
Weaknesses
- CWE-259: CWE-259
Workarounds
Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities.
- Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system.
- Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative.
Medtronic has released additional patient focused information, at the following location:
https://www.medtronic.com/security
ADP Enrichment
CVE Program Container
Additional References
References
- https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.