CVE-2018-8870

Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.

CVSS v3 6.8 MEDIUM
CVSS v2.0 7.2 HIGH

6.8^/10

CVSS v3 : MEDIUM

Vector : AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-07-03 01:29

Updated : 2024-02-28 16:25

NVD link : CVE-2018-8870

Mitre link : CVE-2018-8870

CVE.ORG link : CVE-2018-8870

JSON object : View

Products Affected

medtronic

24950_mycarelink_monitor
24952_mycarelink_monitor_firmware
24950_mycarelink_monitor_firmware
24952_mycarelink_monitor

CWE

CWE-798

Use of Hard-coded Credentials

CWE-259

Use of Hard-coded Password

{"id": "CVE-2018-8870", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": true, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2018-07-03T01:29:01.940", "references": [{"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-259"}]}], "descriptions": [{"lang": "en", "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."}, {"lang": "es", "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor en todas sus versiones y 24952 MyCareLink Monitor en todas su versiones, contienen una contrase\u00f1a de sistema operativo embebida. Un atacante con acceso f\u00edsico puede retirar la carcasa del dispositivo, conectarse al puerto de depuraci\u00f3n y usar la contrase\u00f1a para obtener acceso privilegiado al sistema operativo."}], "lastModified": "2019-10-09T23:42:59.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "778EB98D-C77A-4C81-B7AD-848C335B850D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D8F046CD-32D6-44D1-AB08-D81B3942CB78"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C9FE79C-C221-4E6B-A687-74A5D7A85EFA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F2B146EC-2D18-430C-81B5-6F7D4328BB91"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}