SB2020121410 - Multiple vulnerabilities in Medtronic MyCareLink

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020121410

SB2020121410 - Multiple vulnerabilities in Medtronic MyCareLink

Published: December 14, 2020

Security Bulletin ID SB2020121410
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Adjecent network
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2020-25183)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker on the local network can use another mobile device or malicious application on the patient’s smartphone to bypass authentication process and gain unauthorized access to the application.


2) Heap-based buffer overflow (CVE-ID: CVE-2020-25187)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker on the local network can run a debug command, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2020-27252)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a race condition in the MCL Smart Patient Reader software update system. A remote attacker on the local network can upload and execute unsigned firmware and execute arbitrary code on the system.


Remediation

Install update from vendor's website.

References