Medtronic MyCareLink Monitor Conexus Telemetry Protocol Radio access control

Summaryinfo

A vulnerability has been found in Medtronic MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D, Maximo II ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD, Protecta CRT-D and Secura ICD and classified as critical. Affected is an unknown function of the component Conexus Telemetry Protocol Handler. Performing a manipulation results in access control (Radio). This vulnerability is cataloged as CVE-2019-6538. The attack may be carried out on the physical device. There is no exploit available.

Detailsinfo

A vulnerability classified as critical has been found in Medtronic MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D, Maximo II ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD, Protecta CRT-D and Secura ICD (Medical Device Software). This affects an unknown part of the component Conexus Telemetry Protocol Handler. The manipulation with an unknown input leads to a access control vulnerability (Radio). CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product?s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

The bug was discovered 03/21/2019. The weakness was shared 03/25/2019. This vulnerability is uniquely identified as CVE-2019-6538 since 01/22/2019. Attacking locally is a requirement. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 4 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2019-16097). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Medical Device Software

Vendor

• Medtronic

Name

• Amplia CRT-D
• CareLink 2090 Programmer
• CareLink Monitor
• Claria CRT-D
• Compia CRT-D
• Concerto CRT-D
• Consulta CRT-D
• Evera ICD
• Maximo II CRT-D
• Maximo II ICD
• Mirro ICD
• MyCareLink Monitor
• Nayamed ND ICD
• Primo ICD
• Protecta CRT-D
• Protecta ICD
• Secura ICD

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion