Details of VAR-201906-1020

ID

VAR-201906-1020

CVE

CVE-2019-10964

TITLE

plural Medtronic Minimed Access control vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-006089

DESCRIPTION

In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, Versions, MiniMed 508 pump – All versions, MiniMed Paradigm 511 pump – All versions, MiniMed Paradigm 512/712 pumps – All versions, MiniMed Paradigm 712E pump–All versions, MiniMed Paradigm 515/715 pumps–All versions, MiniMed Paradigm 522/722 pumps – All versions,MiniMed Paradigm 522K/722K pumps – All versions, MiniMed Paradigm 523/723 pumps – Software versions 2.4A or lower, MiniMed Paradigm 523K/723K pumps – Software, versions 2.4A or lower, MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower, MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower, the affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery. plural Medtronic Minimed The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Medtronic Products are prone to an security-bypass vulnerability. Successful exploits may allow an attacker to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. Medtronic MiniMed 508 pump and others are insulin pumps from Medtronic. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 1.98

sources: NVD: CVE-2019-10964 // JVNDB: JVNDB-2019-006089 // BID: 108926 // VULHUB: VHN-142563

AFFECTED PRODUCTS

vendor:	medtronic	model:	minimed paradigm veo 554	scope:	lte	version:	2.6a	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm veo 754	scope:	lte	version:	2.6a	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 523	scope:	lte	version:	2.4a	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 522k	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 723	scope:	lte	version:	2.4a	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 522	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 723k	scope:	lte	version:	2.4a	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 722	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 722k	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 512	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm veo 554cm	scope:	lte	version:	2.7a	Trust: 1.0
vendor:	medtronic	model:	minimed 508	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 515	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 715	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 712	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 712e	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 511	scope:	eq	version:	*	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm 523k	scope:	lte	version:	2.4a	Trust: 1.0
vendor:	medtronic	model:	minimed paradigm veo 754cm	scope:	eq	version:	-	Trust: 1.0
vendor:	medtronic	model:	minimed 508	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 511	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 512	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 515	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 522	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 522k	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 712	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 712e	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 715	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm 722	scope:	-	version:	-	Trust: 0.8
vendor:	medtronic	model:	minimed paradigm veo 554cm and 754cm models 2.7a	scope:	-	version:	-	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm veo pumps 2.6a	scope:	eq	version:	554/754	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm 712e pump	scope:	eq	version:	0	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm 523k/723k pumps 2.4a	scope:	-	version:	-	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm pumps 2.4a	scope:	eq	version:	523/723	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm 522k/722k pumps	scope:	eq	version:	0	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm pumps	scope:	eq	version:	522/7220	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm pumps	scope:	eq	version:	515/7150	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm pumps	scope:	eq	version:	512/7120	Trust: 0.3
vendor:	medtronic	model:	minimed paradigm pump	scope:	eq	version:	5110	Trust: 0.3
vendor:	medtronic	model:	minimed pump	scope:	eq	version:	5080	Trust: 0.3

sources: BID: 108926 // JVNDB: JVNDB-2019-006089 // NVD: CVE-2019-10964

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10964
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-10964
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201906-1080
value:	HIGH
Trust: 0.6
VULHUB:	VHN-142563
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-10964
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-142563
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-10964
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-142563 // JVNDB: JVNDB-2019-006089 // CNNVD: CNNVD-201906-1080 // NVD: CVE-2019-10964

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.1
problemtype:	CWE-863	Trust: 1.1
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-142563 // JVNDB: JVNDB-2019-006089 // NVD: CVE-2019-10964

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201906-1080

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201906-1080

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006089

PATCH

title:

Top Page

url:

http://www.medtronicdiabetes.com/home

Trust: 0.8

sources: JVNDB: JVNDB-2019-006089

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10964	Trust: 2.8
db:	ICS CERT	id:	ICSMA-19-178-01	Trust: 2.8
db:	BID	id:	108926	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-006089	Trust: 0.8
db:	CNNVD	id:	CNNVD-201906-1080	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2351	Trust: 0.6
db:	VULHUB	id:	VHN-142563	Trust: 0.1

sources: VULHUB: VHN-142563 // BID: 108926 // JVNDB: JVNDB-2019-006089 // CNNVD: CNNVD-201906-1080 // NVD: CVE-2019-10964

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsma-19-178-01	Trust: 2.8
url:	http://www.securityfocus.com/bid/108926	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10964	Trust: 1.4
url:	https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/medtronic_security_bulletin_diabetes_paradigm_062719_final.pdf	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10964	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.2351/	Trust: 0.6
url:	https://www.medtronic.com	Trust: 0.3

sources: VULHUB: VHN-142563 // BID: 108926 // JVNDB: JVNDB-2019-006089 // CNNVD: CNNVD-201906-1080 // NVD: CVE-2019-10964

CREDITS

Nathanael Paul, Jay Radcliffe, Barnaby Jack, Jonathan Butts and Jesse Young, Billy Rios, Medtronic., Jonathan Butts, and Jesse Young

Trust: 0.6

sources: CNNVD: CNNVD-201906-1080

SOURCES

db:	VULHUB	id:	VHN-142563
db:	BID	id:	108926
db:	JVNDB	id:	JVNDB-2019-006089
db:	CNNVD	id:	CNNVD-201906-1080
db:	NVD	id:	CVE-2019-10964

LAST UPDATE DATE

2024-08-14T15:43:43.094000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-142563	date:	2020-08-24T00:00:00
db:	BID	id:	108926	date:	2019-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-006089	date:	2019-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201906-1080	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-10964	date:	2020-08-24T17:37:01.140

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-142563	date:	2019-06-28T00:00:00
db:	BID	id:	108926	date:	2019-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-006089	date:	2019-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201906-1080	date:	2019-06-28T00:00:00
db:	NVD	id:	CVE-2019-10964	date:	2019-06-28T21:15:11.007