Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv3

CVE-2019-6538

Published: 25/03/2019 Updated: 06/10/2020
CVSS v2 Base Score: 3.3 | Impact Score: 2.9 | Exploitability Score: 6.5
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 294
Vector: AV:A/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Mycarelink Monitor Firmware

Vulnerability Summary

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

medtronic mycarelink_monitor_firmware 24952

medtronic mycarelink_monitor_firmware 24950

medtronic carelink_monitor_firmware 2490c

medtronic carelink_2090_firmware -

medtronic amplia_crt-d_firmware -

medtronic claria_crt-d_firmware -

medtronic compia_crt-d_firmware -

medtronic concerto_crt-d_firmware -

medtronic concerto_ii_crt-d_firmware -

medtronic consulta_crt-d_firmware -

medtronic evera_icd_firmware -

medtronic maximo_ii_crt-d_and_lcd_firmware -

medtronic mirro_icd_firmware -

medtronic nayamed_nd_icd_firmware -

medtronic primo_icd_firmware -

medtronic protecta_icd_and_crt-d_firmware -

medtronic secura_icd_firmware -

medtronic virtuoso_icd_firmware -

medtronic virtuoso_ii_icd_firmware -

medtronic visia_af_icd_firmware -

medtronic viva_crt-d_firmware -

Recent Articles

Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)
The Register • Shaun Nichols in San Francisco • 22 Mar 2019

US govt sounds alarm over wireless comms, caveats apply Pain in the brain! Kaspersky warns of hackable brain implants

Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients' chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect. On Thursday, the US government's Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic's wireless communications system Conexus, which is used by some of its heart defibrillators and their control units....

Read more...

References

CWE-306CWE-862https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01http://www.securityfocus.com/bid/107544https://nvd.nist.govhttps://www.theregister.co.uk/2019/03/22/medtronic_implanted_defibrillator_hackable/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
client sideCVE-2023-31889template injectionCVE-2024-4304CVE-2006-4304CVE-2024-33272type confusionCVE-2024-21345CVE-2024-33271
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook