#VU19004 Improper access control in Medtronic Hardware solutions


Published: 2019-07-03 | Updated: 2019-07-04

Vulnerability identifier: #VU19004

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-10964

CWE-ID: CWE-284

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
MiniMed Paradigm Veo 754CM
Hardware solutions / Medical equipment
MiniMed Paradigm Veo 554CM
Hardware solutions / Medical equipment
MiniMed Paradigm Veo 554/754
Hardware solutions / Medical equipment
MiniMed Paradigm 523K/723K
Hardware solutions / Medical equipment
MiniMed Paradigm 523/723
Hardware solutions / Medical equipment
MiniMed Paradigm 522K/722K
Hardware solutions / Medical equipment
MiniMed Paradigm 522/722
Hardware solutions / Medical equipment
MiniMed Paradigm 712E
Hardware solutions / Medical equipment
MiniMed Paradigm 512/712
Hardware solutions / Medical equipment
MiniMed Paradigm 511
Hardware solutions / Medical equipment
MiniMed 508
Hardware solutions / Medical equipment

Vendor: Medtronic

Description

The vulnerability allows an attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to the wireless RF (radio frequency) communication protocol does not properly implement authentication or authorization.  An attacker with adjacent access to one of the affected products can intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MiniMed Paradigm Veo 754CM: All versions

MiniMed Paradigm Veo 554CM: All versions

MiniMed Paradigm Veo 554/754: All versions

MiniMed Paradigm 523K/723K: All versions

MiniMed Paradigm 523/723: All versions

MiniMed Paradigm 522K/722K: All versions

MiniMed Paradigm 522/722: All versions

MiniMed Paradigm 712E: All versions

MiniMed Paradigm 512/712: All versions

MiniMed Paradigm 511: All versions

MiniMed 508: All versions

External links
http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic_Security_Bulletin_Diabetes_Paradigm_062719_FINAL.pdf1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Improper access control in Medtronic MiniMed 508 and Paradigm Series Insulin Pumps