Improper access control in Medtronic products - CVE-2019-10964
Published: July 3, 2019 / Updated: July 4, 2019
Vulnerability identifier: #VU19004
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-10964
CWE-ID: CWE-284
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Medtronic
Affected software:
MiniMed Paradigm Veo 754CM
MiniMed Paradigm Veo 554CM
MiniMed Paradigm Veo 554/754
MiniMed Paradigm 523K/723K
MiniMed Paradigm 523/723
MiniMed Paradigm 522K/722K
MiniMed Paradigm 522/722
MiniMed Paradigm 712E
MiniMed Paradigm 512/712
MiniMed Paradigm 511
MiniMed 508
MiniMed Paradigm Veo 754CM
MiniMed Paradigm Veo 554CM
MiniMed Paradigm Veo 554/754
MiniMed Paradigm 523K/723K
MiniMed Paradigm 523/723
MiniMed Paradigm 522K/722K
MiniMed Paradigm 522/722
MiniMed Paradigm 712E
MiniMed Paradigm 512/712
MiniMed Paradigm 511
MiniMed 508
Detailed vulnerability description
The vulnerability allows an attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to the wireless RF (radio frequency) communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected products can intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.
How to mitigate CVE-2019-10964
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.