Telemetry Protocol Vulnerability in Medtronic Cardiac Devices
CVE-2019-6538

6.5MEDIUM

Key Information:

Vendor: Medtronic
Status: Conexus Radio Frequency Telemetry Protocol; Mycarelink Monitor; Carelink Monitor; Carelink 2090 Programmer
Vendor: CVE Published:; 25 March 2019

What is CVE-2019-6538?

The Conexus telemetry protocol in several Medtronic cardiac devices lacks necessary authentication and authorization mechanisms. This vulnerability allows an attacker with close proximity to the product to potentially inject, modify, or intercept telemetry data communications. As a result, this could lead to unauthorized changes in the memory of implanted cardiac devices, posing significant risks to patient safety.

Affected Version(s)

Amplia CRT-D All versions

Brava CRT-D All versions

CareLink 2090 Programmer All versions

References

https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01

x_refsource_MISC

http://www.securityfocus.com/bid/107544

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2019
Vulnerability Reserved
Jan 22, 2019

JSON