Lucene search

IcscertCVE-2018-8870

HistoryJul 03, 2018 - 1:29 a.m.

CVE-2018-8870

2018-07-0301:29:01

CWE-798

CWE-259

icscert

web.nvd.nist.gov

medtronic

mycarelink

patient monitor

hard-coded password

os vulnerability

physical access

nvd

cve-2018-8870

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.

Affected configurations

Nvd

Node

medtronic24950_mycarelink_monitor_firmwareMatch-

AND

medtronic24950_mycarelink_monitorMatch-

Node

medtronic24952_mycarelink_monitor_firmwareMatch-

AND

medtronic24952_mycarelink_monitorMatch-

VendorProductVersionCPE
medtronic24950_mycarelink_monitor_firmware-cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*
medtronic24950_mycarelink_monitor-cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*
medtronic24952_mycarelink_monitor_firmware-cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*
medtronic24952_mycarelink_monitor-cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
medtronic	24950_mycarelink_monitor_firmware	-	cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:::::::*
medtronic	24950_mycarelink_monitor	-	cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:::::::*
medtronic	24952_mycarelink_monitor_firmware	-	cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:::::::*
medtronic	24952_mycarelink_monitor	-	cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:::::::*

CNA Affected

[
  {
    "product": "Medtronic MyCareLink Patient Monitor",
    "vendor": "ICS-CERT",
    "versions": [
      {
        "status": "affected",
        "version": "24950 MyCareLink Monitor, all versions, 24952 MyCareLink Monitor, all versions."
      }
    ]
  }
]

References

ics-cert.us-cert.gov/advisories/ICSMA-18-179-01

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

Related for CVE-2018-8870