Vulnerability identifier: #VU67535
Vulnerability risk: Medium
CVSSv3.1: 4.4 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-693
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
MiniMed 620G
Hardware solutions /
Medical equipment
MiniMed 630G
Hardware solutions /
Medical equipment
MiniMed 640G
Hardware solutions /
Medical equipment
MiniMed 670G
Hardware solutions /
Medical equipment
Vendor: Medtronic
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A remote user on the local network can learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
MiniMed 620G: MMT-1710
MiniMed 630G: MMT-1715 - MMT-1755
MiniMed 640G: MMT-1711 - MMT-1752
MiniMed 670G: MMT-1740 - MMT-1782
External links
http://ics-cert.us-cert.gov/advisories/icsma-22-263-01
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.