Details of VAR-201805-0937

ID

VAR-201805-0937

CVE

CVE-2018-8849

TITLE

Medtronic N'Vision Clinician Programmer Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: e2efad9e-39ab-11e9-87b8-000c29342cb1 // CNVD: CNVD-2018-10004

DESCRIPTION

Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest. The Medtronic N'Vision Clinician Programmer is a small, portable device that provides a single programming platform for Medtronic nerve graft therapy devices. The Medtronic N'Vision Clinician Programmer has an information disclosure vulnerability that allows an attacker to exploit sensitive information. Medtronic N'Vision Clinician Programmer is prone to an information-disclosure vulnerability. The vulnerability is caused by the program not encrypting PII and PHI

Trust: 2.7

sources: NVD: CVE-2018-8849 // JVNDB: JVNDB-2018-005148 // CNVD: CNVD-2018-10004 // BID: 104213 // IVD: e2efad9e-39ab-11e9-87b8-000c29342cb1 // VULHUB: VHN-138881

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2efad9e-39ab-11e9-87b8-000c29342cb1 // CNVD: CNVD-2018-10004

AFFECTED PRODUCTS

vendor:	medtronic	model:	n\'vision 8840	scope:	eq	version:	-	Trust: 1.6
vendor:	medtronic	model:	n\'vision 8870	scope:	eq	version:	-	Trust: 1.6
vendor:	medtronic	model:	8840 n’vision clinician programmer	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	8870 n’vision removable application card	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	n'vision application card	scope:	eq	version:	8870	Trust: 0.6
vendor:	medtronic	model:	n'vision clinician programmer	scope:	eq	version:	8840	Trust: 0.6
vendor:	medtronic	model:	n??vision application card	scope:	eq	version:	88700	Trust: 0.3
vendor:	medtronic	model:	n??vision clinician programmer	scope:	eq	version:	88400	Trust: 0.3
vendor:	medtronic	model:	n'vision application card	scope:	eq	version:	8870*	Trust: 0.2
vendor:	medtronic	model:	n'vision clinician programmer	scope:	eq	version:	8840*	Trust: 0.2

sources: IVD: e2efad9e-39ab-11e9-87b8-000c29342cb1 // CNVD: CNVD-2018-10004 // BID: 104213 // JVNDB: JVNDB-2018-005148 // CNNVD: CNNVD-201805-680 // NVD: CVE-2018-8849

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8849
value:	MEDIUM
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2018-8849
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-8849
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-10004
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201805-680
value:	MEDIUM
Trust: 0.6
IVD:	e2efad9e-39ab-11e9-87b8-000c29342cb1
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-138881
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-8849
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-10004
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2efad9e-39ab-11e9-87b8-000c29342cb1
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-138881
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8849
baseSeverity:	MEDIUM
baseScore:	4.6
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	3.6
version:	3.0
Trust: 1.8
ics-cert@hq.dhs.gov:	CVE-2018-8849
baseSeverity:	MEDIUM
baseScore:	4.6
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: IVD: e2efad9e-39ab-11e9-87b8-000c29342cb1 // CNVD: CNVD-2018-10004 // VULHUB: VHN-138881 // JVNDB: JVNDB-2018-005148 // CNNVD: CNNVD-201805-680 // NVD: CVE-2018-8849 // NVD: CVE-2018-8849

PROBLEMTYPE DATA

problemtype:	CWE-311	Trust: 1.1
problemtype:	CWE-310	Trust: 0.9

sources: VULHUB: VHN-138881 // JVNDB: JVNDB-2018-005148 // NVD: CVE-2018-8849

THREAT TYPE

local

Trust: 0.9

sources: BID: 104213 // CNNVD: CNNVD-201805-680

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201805-680

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-005148

PATCH

title:

N’Vision 8840 Physician Programmer

url:

http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-NVision-8840_Security-Bulletin_FINAL.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2018-005148

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8849	Trust: 3.6
db:	ICS CERT	id:	ICSMA-18-137-01	Trust: 3.4
db:	BID	id:	104213	Trust: 2.6
db:	CNNVD	id:	CNNVD-201805-680	Trust: 0.9
db:	CNVD	id:	CNVD-2018-10004	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-005148	Trust: 0.8
db:	IVD	id:	E2EFAD9E-39AB-11E9-87B8-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-138881	Trust: 0.1

sources: IVD: e2efad9e-39ab-11e9-87b8-000c29342cb1 // CNVD: CNVD-2018-10004 // VULHUB: VHN-138881 // BID: 104213 // JVNDB: JVNDB-2018-005148 // CNNVD: CNNVD-201805-680 // NVD: CVE-2018-8849

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-18-137-01	Trust: 3.4
url:	http://www.securityfocus.com/bid/104213	Trust: 1.7
url:	http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/medtronic-nvision-8840_security-bulletin_final.pdf	Trust: 1.7
url:	https://www.medtronic.com/security	Trust: 1.0
url:	https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-137-01	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8849	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8849	Trust: 0.8
url:	http://www.medtronic.com	Trust: 0.3

sources: CNVD: CNVD-2018-10004 // VULHUB: VHN-138881 // BID: 104213 // JVNDB: JVNDB-2018-005148 // CNNVD: CNNVD-201805-680 // NVD: CVE-2018-8849

CREDITS

Billy Rios of Whitescope LLC

Trust: 0.3

sources: BID: 104213

SOURCES

db:	IVD	id:	e2efad9e-39ab-11e9-87b8-000c29342cb1
db:	CNVD	id:	CNVD-2018-10004
db:	VULHUB	id:	VHN-138881
db:	BID	id:	104213
db:	JVNDB	id:	JVNDB-2018-005148
db:	CNNVD	id:	CNNVD-201805-680
db:	NVD	id:	CVE-2018-8849

LAST UPDATE DATE

2025-06-28T23:14:03.579000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-10004	date:	2018-05-22T00:00:00
db:	VULHUB	id:	VHN-138881	date:	2019-10-09T00:00:00
db:	BID	id:	104213	date:	2018-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-005148	date:	2018-07-06T00:00:00
db:	CNNVD	id:	CNNVD-201805-680	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8849	date:	2025-06-27T17:15:32.103

SOURCES RELEASE DATE

db:	IVD	id:	e2efad9e-39ab-11e9-87b8-000c29342cb1	date:	2018-05-22T00:00:00
db:	CNVD	id:	CNVD-2018-10004	date:	2018-05-22T00:00:00
db:	VULHUB	id:	VHN-138881	date:	2018-05-18T00:00:00
db:	BID	id:	104213	date:	2018-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-005148	date:	2018-07-06T00:00:00
db:	CNNVD	id:	CNNVD-201805-680	date:	2018-05-21T00:00:00
db:	NVD	id:	CVE-2018-8849	date:	2018-05-18T13:29:00.427