Vulnerabilities > CVE-2019-6538 - Missing Authorization vulnerability in Medtronic products

CVSS 6.5 - MEDIUM

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

low complexity

medtronic

CWE-862

NVD

Published: 2019-03-25

Updated: 2020-10-06

Summary

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

Vulnerable Configurations

Part	Description	Count
OS	Medtronic Medtronic Mycarelink Monitor Firmware 24950 Medtronic Mycarelink Monitor Firmware 24952 Medtronic Carelink Monitor Firmware 2490C Medtronic Carelink 2090 Firmware - Medtronic Amplia CRT D Firmware - Medtronic Claria CRT D Firmware - Medtronic Compia CRT D Firmware - Medtronic Concerto CRT D Firmware - Medtronic Concerto II CRT D Firmware - Medtronic Consulta CRT D Firmware - Medtronic Evera ICD Firmware - Medtronic Maximo II CRT D AND LCD Firmware - Medtronic Mirro ICD Firmware - Medtronic Nayamed ND ICD Firmware - Medtronic Primo ICD Firmware - Medtronic Protecta ICD AND CRT D Firmware - Medtronic Secura ICD Firmware - Medtronic Virtuoso ICD Firmware - Medtronic Virtuoso II ICD Firmware - Medtronic Visia AF ICD Firmware - Medtronic Viva CRT D Firmware -	21
Hardware	Medtronic Medtronic Mycarelink Monitor - Medtronic Carelink Monitor - Medtronic Carelink 2090 - Medtronic Amplia CRT D - Medtronic Claria CRT D - Medtronic Compia CRT D - Medtronic Concerto CRT D - Medtronic Concerto II CRT D - Medtronic Consulta CRT D - Medtronic Evera ICD - Medtronic Maximo II CRT D AND LCD - Medtronic Mirro ICD - Medtronic Nayamed ND ICD - Medtronic Primo ICD - Medtronic Protecta ICD AND CRT D - Medtronic Secura ICD - Medtronic Virtuoso ICD - Medtronic Virtuoso II ICD - Medtronic Visia AF ICD - Medtronic Viva CRT D -	20

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

The Hacker News

id	THN:22BD1C3E7F7F5638B94295741D887160
last seen	2019-03-22
modified	2019-03-22
published	2019-03-22
reporter	The Hacker News
source	https://thehackernews.com/2019/03/hacking-implantable-defibrillators.html
title	Medtronic's Implantable Defibrillators Vulnerable to Life-Threatening Hacks

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

The Hacker News

References