Sign-up

ID

VAR-201702-0699


CVE

CVE-2017-5149


TITLE

St. Jude Medical Merlin@home Vulnerabilities that allow access to communication between specific endpoints

Trust: 0.8

sources: JVNDB: JVNDB-2017-002280

DESCRIPTION

An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints. St. St.Jude Medical Merlin@home transmitter is a product of St.Jude Medical of the United States for remote care management of patients implanted with cardiac devices. Merlin@home has a human security bypass vulnerability. Merlin@home is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to bypass certain security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. Versions prior to Merlin@home 8.2.2 are vulnerable. Jude Medical Merlin@home transmitter is a product of St

Trust: 2.79

sources: NVD: CVE-2017-5149 // JVNDB: JVNDB-2017-002280 // CNVD: CNVD-2017-00460 // BID: 95331 // IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5 // VULHUB: VHN-113352 // VULMON: CVE-2017-5149

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5 // CNVD: CNVD-2017-00460

AFFECTED PRODUCTS

vendor:abbottmodel:merlin\@homescope:lteversion:8.0

Trust: 1.0

vendor:stmodel:jude medical merlin@homescope:eqversion:8.0

Trust: 0.9

vendor:st jude medicalmodel:merlin@homescope:ltversion:8.2.2

Trust: 0.8

vendor:st jude medicalmodel:merlin\@homescope:eqversion:8.0

Trust: 0.6

vendor:stmodel:jude medical merlin@homescope:neversion:8.2.2

Trust: 0.3

vendor:merlin homemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5 // CNVD: CNVD-2017-00460 // BID: 95331 // JVNDB: JVNDB-2017-002280 // CNNVD: CNNVD-201701-171 // NVD: CVE-2017-5149

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-5149
value: HIGH

Trust: 1.0

NVD: CVE-2017-5149
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-00460
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201701-171
value: HIGH

Trust: 0.6

IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5
value: HIGH

Trust: 0.2

VULHUB: VHN-113352
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-5149
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-5149
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2017-00460
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-113352
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-5149
baseSeverity: HIGH
baseScore: 8.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2017-5149
baseSeverity: HIGH
baseScore: 8.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5 // CNVD: CNVD-2017-00460 // VULHUB: VHN-113352 // VULMON: CVE-2017-5149 // JVNDB: JVNDB-2017-002280 // CNNVD: CNNVD-201701-171 // NVD: CVE-2017-5149

PROBLEMTYPE DATA

problemtype:CWE-476

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-113352 // JVNDB: JVNDB-2017-002280 // NVD: CVE-2017-5149

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201701-171

TYPE

Code problem

Trust: 0.8

sources: IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5 // CNNVD: CNNVD-201701-171

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002280

PATCH
title:Merlin@homeurl:https://www.sjm.com/en/professionals/featured-products/cardiac-rhythm-management/remote-care/remote-care/merlin-home-transmitter?halert=show&clset=af584191-45c9-4201-8740-5409f4cf8bdd%3ab20716c1-c2a6-
Trust: 0.8
title:Merlin@home people middle security bypass vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/88010
Trust: 0.6
title:St. Jude Medical Merlin@home Transmitter Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66895
Trust: 0.6
title: - url:https://github.com/brooocifer/hack-merlin-at-home 
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-00460 // 
            
            
            
            VULMON: CVE-2017-5149 // 
            
            
            
            JVNDB: JVNDB-2017-002280 // 
            
            
            
            CNNVD: CNNVD-201701-171

EXTERNAL IDS
db:NVDid:CVE-2017-5149
Trust: 3.7
db:BIDid:95331
Trust: 2.7
db:ICS CERTid:ICSMA-17-009-01A
Trust: 2.6
db:CNNVDid:CNNVD-201701-171
Trust: 0.9
db:ICS CERTid:ICSMA-17-009-01
Trust: 0.9
db:CNVDid:CNVD-2017-00460
Trust: 0.8
db:JVNDBid:JVNDB-2017-002280
Trust: 0.8
db:IVDid:FA131AA5-74F9-4FB0-950D-D3CAA56347B5
Trust: 0.2
db:VULHUBid:VHN-113352
Trust: 0.1
db:VULMONid:CVE-2017-5149
Trust: 0.1
sources:
            
            
            IVD: fa131aa5-74f9-4fb0-950d-d3caa56347b5 // 
            
            
            
            CNVD: CNVD-2017-00460 // 
            
            
            
            VULHUB: VHN-113352 // 
            
            
            
            VULMON: CVE-2017-5149 // 
            
            
            
            BID: 95331 // 
            
            
            
            JVNDB: JVNDB-2017-002280 // 
            
            
            
            CNNVD: CNNVD-201701-171 // 
            
            
            
            NVD: CVE-2017-5149

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsma-17-009-01a
Trust: 2.7
url:http://www.securityfocus.com/bid/95331
Trust: 1.9
url:https://ics-cert.us-cert.gov/advisories/icsma-17-009-01
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5149
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-5149
Trust: 0.8
url:https://www.sjm.com/en/professionals/featured-products/cardiac-rhythm-management/remote-care/remote-care/merlin-home-transmitter?halert=show&clset=af584191-45c9-4201-8740-5409f4cf8bdd%3ab20716c1-c2a6-
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/476.html
Trust: 0.1
url:https://github.com/brooocifer/hack-merlin-at-home
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-00460 // 
            
            
            
            VULHUB: VHN-113352 // 
            
            
            
            VULMON: CVE-2017-5149 // 
            
            
            
            BID: 95331 // 
            
            
            
            JVNDB: JVNDB-2017-002280 // 
            
            
            
            CNNVD: CNNVD-201701-171 // 
            
            
            
            NVD: CVE-2017-5149

CREDITS
MedSec Holdings
Trust: 0.3
sources:
            
            
            BID: 95331

SOURCES
db:IVDid:fa131aa5-74f9-4fb0-950d-d3caa56347b5
db:CNVDid:CNVD-2017-00460
db:VULHUBid:VHN-113352
db:VULMONid:CVE-2017-5149
db:BIDid:95331
db:JVNDBid:JVNDB-2017-002280
db:CNNVDid:CNNVD-201701-171
db:NVDid:CVE-2017-5149

LAST UPDATE DATE
2025-04-20T23:16:19.921000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-00460date:2017-01-16T00:00:00
db:VULHUBid:VHN-113352date:2019-10-03T00:00:00
db:VULMONid:CVE-2017-5149date:2019-10-03T00:00:00
db:BIDid:95331date:2017-01-12T01:11:00
db:JVNDBid:JVNDB-2017-002280date:2017-04-07T00:00:00
db:CNNVDid:CNNVD-201701-171date:2019-10-23T00:00:00
db:NVDid:CVE-2017-5149date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:fa131aa5-74f9-4fb0-950d-d3caa56347b5date:2017-01-16T00:00:00
db:CNVDid:CNVD-2017-00460date:2017-01-16T00:00:00
db:VULHUBid:VHN-113352date:2017-02-13T00:00:00
db:VULMONid:CVE-2017-5149date:2017-02-13T00:00:00
db:BIDid:95331date:2017-01-09T00:00:00
db:JVNDBid:JVNDB-2017-002280date:2017-04-07T00:00:00
db:CNNVDid:CNNVD-201701-171date:2017-01-10T00:00:00
db:NVDid:CVE-2017-5149date:2017-02-13T22:59:00.303