Details of VAR-201808-0171

ID

VAR-201808-0171

CVE

CVE-2018-10622

TITLE

Medtronic MyCareLink 24950 and 24952 Patient Monitor Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2018-008970

DESCRIPTION

Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest. Medtronic MyCareLink 24950 and 24952 Patient Monitor Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MedtronicMyCareLink24950PatientMonitor and 24952PatientMonitor are monitor devices used by Medtronic to monitor patient vital signs. An information disclosure vulnerability exists in MedtronicMyCareLink24950PatientMonitor and 24952PatientMonitor (all versions) that the program uses to store credentials in a recoverable format that an attacker can use to authenticate and obtain sensitive information. Medtronic MyCareLink Patient Monitor is prone to security bypass vulnerability and information disclosure vulnerability. An attacker can exploit these issues to bypass security restrictions and perform unauthorized actions or obtain sensitive information. This may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2018-10622 // JVNDB: JVNDB-2018-008970 // CNVD: CNVD-2019-21129 // BID: 105042 // VULHUB: VHN-120400

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-21129

AFFECTED PRODUCTS

vendor:	medtronic	model:	mycarelink 24950 patient monitor	scope:	eq	version:	-	Trust: 1.6
vendor:	medtronic	model:	mycarelink 24952 patient monitor	scope:	eq	version:	-	Trust: 1.6
vendor:	medtronic	model:	24950 mycarelink monitor	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	24952 mycarelink monitor	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	mycarelink patient monitor	scope:	eq	version:	24950	Trust: 0.6
vendor:	medtronic	model:	mycarelink patient monitor	scope:	eq	version:	24952	Trust: 0.6
vendor:	medtronic	model:	mycarelink monitor	scope:	eq	version:	249520	Trust: 0.3
vendor:	medtronic	model:	mycarelink monitor	scope:	eq	version:	249500	Trust: 0.3

sources: CNVD: CNVD-2019-21129 // BID: 105042 // JVNDB: JVNDB-2018-008970 // CNNVD: CNNVD-201808-289 // NVD: CVE-2018-10622

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-10622
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2018-10622
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-10622
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-21129
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201808-289
value:	HIGH
Trust: 0.6
VULHUB:	VHN-120400
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-10622
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-21129
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-120400
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-10622
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.5
impactScore:	6.0
version:	3.0
Trust: 1.8
ics-cert@hq.dhs.gov:	CVE-2018-10622
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.5
impactScore:	4.0
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2019-21129 // VULHUB: VHN-120400 // JVNDB: JVNDB-2018-008970 // CNNVD: CNNVD-201808-289 // NVD: CVE-2018-10622 // NVD: CVE-2018-10622

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.1
problemtype:	CWE-257	Trust: 1.0
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-120400 // JVNDB: JVNDB-2018-008970 // NVD: CVE-2018-10622

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201808-289

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201808-289

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008970

PATCH

title:	MyCareLink Patient Monitor	url:	http://www.medtronic.com/uk-en/patients/treatments-therapies/fainting-heart-monitor/mycarelink-patient-monitor.html	Trust: 0.8
title:	Patch for MedtronicMyCareLink24950PatientMonitor and 24952PatientMonitor Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/167021	Trust: 0.6
title:	Medtronic MyCareLink 24950 Patient Monitor and 24952 Patient Monitor Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83915	Trust: 0.6

sources: CNVD: CNVD-2019-21129 // JVNDB: JVNDB-2018-008970 // CNNVD: CNNVD-201808-289

EXTERNAL IDS

db:	NVD	id:	CVE-2018-10622	Trust: 3.4
db:	ICS CERT	id:	ICSMA-18-219-01	Trust: 3.4
db:	BID	id:	105042	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-008970	Trust: 0.8
db:	CNNVD	id:	CNNVD-201808-289	Trust: 0.7
db:	CNVD	id:	CNVD-2019-21129	Trust: 0.6
db:	VULHUB	id:	VHN-120400	Trust: 0.1

sources: CNVD: CNVD-2019-21129 // VULHUB: VHN-120400 // BID: 105042 // JVNDB: JVNDB-2018-008970 // CNNVD: CNNVD-201808-289 // NVD: CVE-2018-10622

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-18-219-01	Trust: 3.4
url:	http://www.securityfocus.com/bid/105042	Trust: 1.7
url:	https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10622	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-10622	Trust: 0.8
url:	http://www.medtronic.com	Trust: 0.3

sources: CNVD: CNVD-2019-21129 // VULHUB: VHN-120400 // BID: 105042 // JVNDB: JVNDB-2018-008970 // CNNVD: CNNVD-201808-289 // NVD: CVE-2018-10622

CREDITS

Billy Rios, Jesse Young, and Jonathan Butts of Whitescope

Trust: 0.3

sources: BID: 105042

SOURCES

db:	CNVD	id:	CNVD-2019-21129
db:	VULHUB	id:	VHN-120400
db:	BID	id:	105042
db:	JVNDB	id:	JVNDB-2018-008970
db:	CNNVD	id:	CNNVD-201808-289
db:	NVD	id:	CVE-2018-10622

LAST UPDATE DATE

2025-05-22T23:06:57.228000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-21129	date:	2019-07-04T00:00:00
db:	VULHUB	id:	VHN-120400	date:	2019-10-09T00:00:00
db:	BID	id:	105042	date:	2018-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2018-008970	date:	2018-11-05T00:00:00
db:	CNNVD	id:	CNNVD-201808-289	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-10622	date:	2025-05-22T16:15:50.047

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-21129	date:	2019-07-04T00:00:00
db:	VULHUB	id:	VHN-120400	date:	2018-08-10T00:00:00
db:	BID	id:	105042	date:	2018-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2018-008970	date:	2018-11-05T00:00:00
db:	CNNVD	id:	CNNVD-201808-289	date:	2018-08-13T00:00:00
db:	NVD	id:	CVE-2018-10622	date:	2018-08-10T18:29:00.230