Data Integrity Vulnerability in Medtronic MyCareLink Patient Monitor
CVE-2018-10626

4.4MEDIUM

Key Information:

Vendor

Medtronic

Status
24950 Mycarelink Monitor
24952 Mycarelink Monitor
Vendor
CVE Published:
10 August 2018

What is CVE-2018-10626?

A vulnerability in the Medtronic MyCareLink Patient Monitor models 24950 and 24952 allows for the risk of unauthorized data manipulation. The device's update service fails to verify the authenticity of uploaded data, enabling an attacker with acquired product credentials to trick the CareLink network into accepting invalid data from paired implantable cardiac devices. This poses grave risks to patient safety and the reliability of medical data.

Affected Version(s)

24950 MyCareLink Monitor All versions

24952 MyCareLink Monitor All versions

References

https://global.medtronic.com/xg-en/product-security/secur...
https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01
x_refsource_MISC
http://www.securityfocus.com/bid/105042
vdb-entry

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.