Sign-up

ID

VAR-201807-0333


CVE

CVE-2018-10596


TITLE

Medtronic 2090 CareLink Programmer Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2018-008035

DESCRIPTION

Medtronic 2090 CareLink Programmer uses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based VPN connection to a Medtronic-hosted update network. Once the VPN is established, it makes a request to a HTTP (non-TLS) server across the VPN for updates, which responds and provides any available updates. The programmer-side (client) service responsible for this HTTP request does not check to ensure it is still connected to the VPN before making the HTTP request. Thus, an attacker could cause the VPN connection to terminate (through various methods and attack points) and intercept the HTTP request, responding with malicious updates via a man-in-the-middle attack. The affected products do not verify the origin or integrity of these updates, as it insufficiently relied on the security of the VPN. An attacker with remote network access to the programmer could influence these communications. Medtronic 2090 CareLink Programmer Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Medtronic2090CareLinkProgrammer is a set of portable computer products from Medtronic Corporation of the United States. This product is used to manage and program cardiac devices in the medical industry

Trust: 2.25

sources: NVD: CVE-2018-10596 // JVNDB: JVNDB-2018-008035 // CNVD: CNVD-2018-12557 // VULHUB: VHN-120371

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-12557

AFFECTED PRODUCTS

vendor:medtronicmodel:2090 carelink programmerscope: - version: -

Trust: 1.4

vendor:medtronicmodel:2090 carelink programmerscope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:carelink programmerscope:eqversion:2090

Trust: 0.6

sources: CNVD: CNVD-2018-12557 // JVNDB: JVNDB-2018-008035 // CNNVD: CNNVD-201807-212 // NVD: CVE-2018-10596

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10596
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2018-10596
value: HIGH

Trust: 1.0

NVD: CVE-2018-10596
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-12557
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201807-212
value: HIGH

Trust: 0.6

VULHUB: VHN-120371
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-10596
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-12557
severity: MEDIUM
baseScore: 6.8
vectorString: AV:A/AC:H/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.2
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-120371
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-10596
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 1.8

ics-cert@hq.dhs.gov: CVE-2018-10596
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2018-12557 // VULHUB: VHN-120371 // JVNDB: JVNDB-2018-008035 // CNNVD: CNNVD-201807-212 // NVD: CVE-2018-10596 // NVD: CVE-2018-10596

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

problemtype:CWE-923

Trust: 1.0

sources: VULHUB: VHN-120371 // JVNDB: JVNDB-2018-008035 // NVD: CVE-2018-10596

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201807-212

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201807-212

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-008035

PATCH
title:Top Pageurl:http://www.medtronic.com/us-en/index.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-008035

EXTERNAL IDS
db:NVDid:CVE-2018-10596
Trust: 3.1
db:ICS CERTid:ICSMA-18-058-01
Trust: 3.1
db:JVNDBid:JVNDB-2018-008035
Trust: 0.8
db:CNNVDid:CNNVD-201807-212
Trust: 0.7
db:CNVDid:CNVD-2018-12557
Trust: 0.6
db:NSFOCUSid:47493
Trust: 0.6
db:VULHUBid:VHN-120371
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-12557 // 
            
            
            
            VULHUB: VHN-120371 // 
            
            
            
            JVNDB: JVNDB-2018-008035 // 
            
            
            
            CNNVD: CNNVD-201807-212 // 
            
            
            
            NVD: CVE-2018-10596

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsma-18-058-01
Trust: 3.1
url:https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-2090-29901.html
Trust: 1.0
url:https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-058-01
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10596
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10596
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsma-18-058-01
Trust: 0.6
url:http://www.nsfocus.net/vulndb/47493
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-12557 // 
            
            
            
            VULHUB: VHN-120371 // 
            
            
            
            JVNDB: JVNDB-2018-008035 // 
            
            
            
            CNNVD: CNNVD-201807-212 // 
            
            
            
            NVD: CVE-2018-10596

SOURCES
db:CNVDid:CNVD-2018-12557
db:VULHUBid:VHN-120371
db:JVNDBid:JVNDB-2018-008035
db:CNNVDid:CNNVD-201807-212
db:NVDid:CVE-2018-10596

LAST UPDATE DATE
2025-05-23T23:07:14.887000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-12557date:2018-07-05T00:00:00
db:VULHUBid:VHN-120371date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-008035date:2018-10-05T00:00:00
db:CNNVDid:CNNVD-201807-212date:2020-08-07T00:00:00
db:NVDid:CVE-2018-10596date:2025-05-22T18:15:21.490

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-12557date:2018-07-05T00:00:00
db:VULHUBid:VHN-120371date:2018-07-03T00:00:00
db:JVNDBid:JVNDB-2018-008035date:2018-10-05T00:00:00
db:CNNVDid:CNNVD-201807-212date:2018-07-04T00:00:00
db:NVDid:CVE-2018-10596date:2018-07-03T01:29:00.487