Sign-up

ID

VAR-201808-0173


CVE

CVE-2018-10626


TITLE

Medtronic MyCareLink 24950 and 24952 Patient Monitor Vulnerabilities related to insufficient validation of data reliability

Trust: 0.8

sources: JVNDB: JVNDB-2018-008971

DESCRIPTION

Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network. Medtronic MyCareLink 24950 and 24952 Patient Monitor Contains vulnerabilities related to insufficient validation of data reliability.Information may be obtained and information may be altered. An attacker can exploit these issues to bypass security restrictions and perform unauthorized actions or obtain sensitive information. This may aid in further attacks. Both Medtronic MyCareLink 24950 Patient Monitor and 24952 Patient Monitor are monitors produced by Medtronic in the United States for monitoring the vital signs of patients

Trust: 1.98

sources: NVD: CVE-2018-10626 // JVNDB: JVNDB-2018-008971 // BID: 105042 // VULHUB: VHN-120404

AFFECTED PRODUCTS

vendor:medtronicmodel:mycarelink 24950 patient monitorscope:eqversion: -

Trust: 1.6

vendor:medtronicmodel:mycarelink 24952 patient monitorscope:eqversion: -

Trust: 1.6

vendor:medtronicmodel:24950 mycarelink monitorscope: - version: -

Trust: 0.8

vendor:medtronicmodel:24952 mycarelink monitorscope: - version: -

Trust: 0.8

vendor:medtronicmodel:mycarelink monitorscope:eqversion:249520

Trust: 0.3

vendor:medtronicmodel:mycarelink monitorscope:eqversion:249500

Trust: 0.3

sources: BID: 105042 // JVNDB: JVNDB-2018-008971 // CNNVD: CNNVD-201808-288 // NVD: CVE-2018-10626

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-10626
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2018-10626
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-10626
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201808-288
value: MEDIUM

Trust: 0.6

VULHUB: VHN-120404
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-10626
severity: LOW
baseScore: 3.8
vectorString: AV:A/AC:M/AU:S/C:P/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-120404
severity: LOW
baseScore: 3.8
vectorString: AV:A/AC:M/AU:S/C:P/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-10626
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.3
impactScore: 2.7
version: 3.0

Trust: 1.8

ics-cert@hq.dhs.gov: CVE-2018-10626
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.3
impactScore: 2.7
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-120404 // JVNDB: JVNDB-2018-008971 // CNNVD: CNNVD-201808-288 // NVD: CVE-2018-10626 // NVD: CVE-2018-10626

PROBLEMTYPE DATA

problemtype:CWE-345

Trust: 1.9

sources: VULHUB: VHN-120404 // JVNDB: JVNDB-2018-008971 // NVD: CVE-2018-10626

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201808-288

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-201808-288

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-008971

PATCH
title:MyCareLink Patient Monitorurl:http://www.medtronic.com/uk-en/patients/treatments-therapies/fainting-heart-monitor/mycarelink-patient-monitor.html
Trust: 0.8
title:Medtronic MyCareLink 24950 Patient Monitor  and 24952 Patient Monitor Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83914
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-008971 // 
            
            
            
            CNNVD: CNNVD-201808-288

EXTERNAL IDS
db:ICS CERTid:ICSMA-18-219-01
Trust: 2.8
db:NVDid:CVE-2018-10626
Trust: 2.8
db:BIDid:105042
Trust: 2.0
db:JVNDBid:JVNDB-2018-008971
Trust: 0.8
db:CNNVDid:CNNVD-201808-288
Trust: 0.7
db:VULHUBid:VHN-120404
Trust: 0.1
sources:
            
            
            VULHUB: VHN-120404 // 
            
            
            
            BID: 105042 // 
            
            
            
            JVNDB: JVNDB-2018-008971 // 
            
            
            
            CNNVD: CNNVD-201808-288 // 
            
            
            
            NVD: CVE-2018-10626

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsma-18-219-01
Trust: 2.8
url:http://www.securityfocus.com/bid/105042
Trust: 1.7
url:https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10626
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-10626
Trust: 0.8
url:http://www.medtronic.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-120404 // 
            
            
            
            BID: 105042 // 
            
            
            
            JVNDB: JVNDB-2018-008971 // 
            
            
            
            CNNVD: CNNVD-201808-288 // 
            
            
            
            NVD: CVE-2018-10626

CREDITS
Billy Rios, Jesse Young, and Jonathan Butts of Whitescope
Trust: 0.3
sources:
            
            
            BID: 105042

SOURCES
db:VULHUBid:VHN-120404
db:BIDid:105042
db:JVNDBid:JVNDB-2018-008971
db:CNNVDid:CNNVD-201808-288
db:NVDid:CVE-2018-10626

LAST UPDATE DATE
2025-05-22T23:06:57.264000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-120404date:2019-10-09T00:00:00
db:BIDid:105042date:2018-08-07T00:00:00
db:JVNDBid:JVNDB-2018-008971date:2018-11-05T00:00:00
db:CNNVDid:CNNVD-201808-288date:2019-10-17T00:00:00
db:NVDid:CVE-2018-10626date:2025-05-22T16:15:51.107

SOURCES RELEASE DATE
db:VULHUBid:VHN-120404date:2018-08-10T00:00:00
db:BIDid:105042date:2018-08-07T00:00:00
db:JVNDBid:JVNDB-2018-008971date:2018-11-05T00:00:00
db:CNNVDid:CNNVD-201808-288date:2018-08-13T00:00:00
db:NVDid:CVE-2018-10626date:2018-08-10T18:29:00.353