Protection Mechanism Failure in Medtronic NGP 600 Series Insulin Pumps



Published: 2022-09-21
Risk Medium
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2022-32537
CWE-ID CWE-693
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
MiniMed 620G
Hardware solutions / Medical equipment

MiniMed 630G
Hardware solutions / Medical equipment

MiniMed 640G
Hardware solutions / Medical equipment

MiniMed 670G
Hardware solutions / Medical equipment

Vendor Medtronic

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Protection Mechanism Failure

EUVDB-ID: #VU67535

Risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-32537

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user on the local network can learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MiniMed 620G: MMT-1710

MiniMed 630G: MMT-1715 - MMT-1755

MiniMed 640G: MMT-1711 - MMT-1752

MiniMed 670G: MMT-1740 - MMT-1782

External links

http://ics-cert.us-cert.gov/advisories/icsma-22-263-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###