Vulnerability in Medtronic CareLink Programmer Allows Unauthorized Update Manipulation
CVE-2018-10596

8HIGH

Key Information:

Vendor: Medtronic
Status: 2090 Carelink Programmer; 29901 Encore Programmer
Vendor: CVE Published:; 3 July 2018

What is CVE-2018-10596?

The Medtronic 2090 CareLink Programmer is susceptible to a communication manipulation vulnerability. This issue arises because the device establishes a virtual private network (VPN) connection to securely download updates, but it fails to verify its ongoing connection to this VPN before initiating the download process. If an attacker gains local network access to the programmer, they may exploit this flaw to influence the update communications, potentially leading to unauthorized updates.

Affected Version(s)

2090 CareLink Programmer All versions

29901 Encore Programmer All versions

References

https://global.medtronic.com/xg-en/product-security/secur...

https://www.cisa.gov/news-events/ics-medical-advisories/i...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2018
Vulnerability Reserved
May 1, 2018

JSON