#VU19004 Improper access control in Medtronic products - CVE-2019-10964
Published: July 3, 2019 / Updated: July 4, 2019
Vulnerability identifier: #VU19004
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-10964
CWE-ID: CWE-284
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
MiniMed Paradigm Veo 754CM
MiniMed Paradigm Veo 554CM
MiniMed Paradigm Veo 554/754
MiniMed Paradigm 523K/723K
MiniMed Paradigm 523/723
MiniMed Paradigm 522K/722K
MiniMed Paradigm 522/722
MiniMed Paradigm 712E
MiniMed Paradigm 512/712
MiniMed Paradigm 511
MiniMed 508
MiniMed Paradigm Veo 754CM
MiniMed Paradigm Veo 554CM
MiniMed Paradigm Veo 554/754
MiniMed Paradigm 523K/723K
MiniMed Paradigm 523/723
MiniMed Paradigm 522K/722K
MiniMed Paradigm 522/722
MiniMed Paradigm 712E
MiniMed Paradigm 512/712
MiniMed Paradigm 511
MiniMed 508
Software vendor:
Medtronic
Medtronic
Description
The vulnerability allows an attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to the wireless RF (radio frequency) communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected products can intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.