Information disclosure in Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-18984 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
29901 Encore Programmer Hardware solutions / Firmware 2090 CareLink Programmer Hardware solutions / Firmware 9790 CareLink Programmer Hardware solutions / Firmware |
| Vendor | Medtronic |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU16567
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2018-18984
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a physical attacker to obtain potentially sensitive information.
The vulnerability exists due to improper encryption the following sensitive information. A physical attacker can view encrypted data and gain access to potentially sensitive information.
The CareLink 9790 Programmer has been placed into end-of-life status and is no longer supported by Medtronic. Medtronic recommends users no longer use the 9790 for any purpose.
The CareLink 2090 and 29901 Encore programmers store PHI and PII as part of their normal operating procedure. Medtronic recommends that when devices are storing PHI/PII it should be retained on these programmers for the least amount of time necessary, and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy. Please contact a Medtronic representative for proper disposal and PHI/PII retention setting instructions.
All affected programmers allow for the manual deletion of programmer-generated reports, which could contain PHI/PII. Medtronic recommends users delete these reports when no longer needed and prior to any disposition of the programmer.
Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, hospitals and clinicians should:
- Maintain strict physical control of the programmer.
- Use only legitimately obtained programmers and not ones provided by any third party.
Proper disposal of these programmers and the associated electronic media storing data is critical for the continued protection of any PHI and PII residing on the programmer.
Vulnerable software versions29901 Encore Programmer: All versions
2090 CareLink Programmer: All versions
9790 CareLink Programmer: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
