Improper access control in Medtronic MiniMed 508 and Paradigm Series Insulin Pumps



Published: 2019-07-03
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2019-10964
CWE-ID CWE-284
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe 		MiniMed Paradigm Veo 754CM
Hardware solutions / Medical equipment

MiniMed Paradigm Veo 554CM
Hardware solutions / Medical equipment

MiniMed Paradigm Veo 554/754
Hardware solutions / Medical equipment

MiniMed Paradigm 523K/723K
Hardware solutions / Medical equipment

MiniMed Paradigm 523/723
Hardware solutions / Medical equipment

MiniMed Paradigm 522K/722K
Hardware solutions / Medical equipment

MiniMed Paradigm 522/722
Hardware solutions / Medical equipment

MiniMed Paradigm 712E
Hardware solutions / Medical equipment

MiniMed Paradigm 512/712
Hardware solutions / Medical equipment

MiniMed Paradigm 511
Hardware solutions / Medical equipment

MiniMed 508
Hardware solutions / Medical equipment

Vendor Medtronic

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper access control

EUVDB-ID: #VU19004

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-10964

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows an attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to the wireless RF (radio frequency) communication protocol does not properly implement authentication or authorization.  An attacker with adjacent access to one of the affected products can intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MiniMed Paradigm Veo 754CM: All versions

MiniMed Paradigm Veo 554CM: All versions

MiniMed Paradigm Veo 554/754: All versions

MiniMed Paradigm 523K/723K: All versions

MiniMed Paradigm 523/723: All versions

MiniMed Paradigm 522K/722K: All versions

MiniMed Paradigm 522/722: All versions

MiniMed Paradigm 712E: All versions

MiniMed Paradigm 512/712: All versions

MiniMed Paradigm 511: All versions

MiniMed 508: All versions

External links

http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic_Security_Bulletin_Diabetes_Paradigm_062719_FINAL.pdf1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###