CVE-2018-10626
medium
CVSS v3
4.4
CVSS v2
3.8
VIR risk
4.4
Description
Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
Predictions
Exploit likelihood
44%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
References
- http://www.securityfocus.com/bid/105042
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2018/icsma-18-219-01.json
- https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01
- http://www.securityfocus.com/bid/105042
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01
CWEs
CWE-345
Verify integrity in audit chain (admin only). AS-IS.