CVE-2019-6538

  1. Reconshell
  2. Vulnerabilities (CVE)
  3. CVE-2019-6538
The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

3.3 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01 Mitigation Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/107544 Third Party Advisory VDB Entry
Advertisement

NeevaHost hosting service
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:o:medtronic:mycarelink_monitor_firmware:24952:*:*:*:*:*:*:*
cpe:2.3:o:medtronic:mycarelink_monitor_firmware:24950:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:mycarelink_monitor:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:medtronic:carelink_monitor_firmware:2490c:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:carelink_monitor:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:medtronic:carelink_2090_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:carelink_2090:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:medtronic:amplia_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:amplia_crt-d:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:medtronic:claria_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:claria_crt-d:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:medtronic:compia_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:compia_crt-d:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:medtronic:concerto_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:concerto_crt-d:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:medtronic:concerto_ii_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:concerto_ii_crt-d:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:medtronic:consulta_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:consulta_crt-d:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:medtronic:evera_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:evera_icd:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:medtronic:maximo_ii_crt-d_and_lcd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:maximo_ii_crt-d_and_lcd:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:medtronic:mirro_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:mirro_icd:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:medtronic:nayamed_nd_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:nayamed_nd_icd:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:medtronic:primo_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:primo_icd:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:medtronic:protecta_icd_and_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:protecta_icd_and_crt-d:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:medtronic:secura_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:secura_icd:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:medtronic:virtuoso_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:virtuoso_icd:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:medtronic:virtuoso_ii_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:virtuoso_ii_icd:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:medtronic:visia_af_icd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:visia_af_icd:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:medtronic:viva_crt-d_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:medtronic:viva_crt-d:-:*:*:*:*:*:*:*
Information

Published : 2019-03-25 15:29

Updated : 2020-10-06 06:19

NVD link : CVE-2019-6538

Mitre link : CVE-2019-6538

JSON object : View

CWE
CWE-306

Missing Authentication for Critical Function

CWE-862

Missing Authorization

Advertisement

dedicated server usa
Products Affected

medtronic

  • nayamed_nd_icd_firmware
  • amplia_crt-d_firmware
  • evera_icd
  • mirro_icd
  • secura_icd
  • mirro_icd_firmware
  • evera_icd_firmware
  • mycarelink_monitor_firmware
  • concerto_crt-d
  • compia_crt-d_firmware
  • virtuoso_icd
  • virtuoso_icd_firmware
  • carelink_2090_firmware
  • carelink_2090
  • primo_icd_firmware
  • visia_af_icd_firmware
  • claria_crt-d
  • claria_crt-d_firmware
  • amplia_crt-d
  • concerto_ii_crt-d_firmware
  • virtuoso_ii_icd
  • primo_icd
  • secura_icd_firmware
  • consulta_crt-d_firmware
  • nayamed_nd_icd
  • concerto_ii_crt-d
  • viva_crt-d
  • carelink_monitor_firmware
  • maximo_ii_crt-d_and_lcd_firmware
  • mycarelink_monitor
  • carelink_monitor
  • viva_crt-d_firmware
  • compia_crt-d
  • maximo_ii_crt-d_and_lcd
  • protecta_icd_and_crt-d
  • visia_af_icd
  • consulta_crt-d
  • virtuoso_ii_icd_firmware
  • protecta_icd_and_crt-d_firmware
  • concerto_crt-d_firmware