ID

VAR-201906-1020


CVE

CVE-2019-10964


TITLE

plural Medtronic Minimed Access control vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-006089

DESCRIPTION

In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, Versions, MiniMed 508 pump – All versions, MiniMed Paradigm 511 pump – All versions, MiniMed Paradigm 512/712 pumps – All versions, MiniMed Paradigm 712E pump–All versions, MiniMed Paradigm 515/715 pumps–All versions, MiniMed Paradigm 522/722 pumps – All versions,MiniMed Paradigm 522K/722K pumps – All versions, MiniMed Paradigm 523/723 pumps – Software versions 2.4A or lower, MiniMed Paradigm 523K/723K pumps – Software, versions 2.4A or lower, MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower, MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower, the affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery. plural Medtronic Minimed The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Medtronic Products are prone to an security-bypass vulnerability. Successful exploits may allow an attacker to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. Medtronic MiniMed 508 pump and others are insulin pumps from Medtronic. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 1.98

sources: NVD: CVE-2019-10964 // JVNDB: JVNDB-2019-006089 // BID: 108926 // VULHUB: VHN-142563

AFFECTED PRODUCTS

vendor:medtronicmodel:minimed paradigm veo 754cmscope:eqversion: -

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 515scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 522scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 523scope:lteversion:2.4a

Trust: 1.0

vendor:medtronicmodel:minimed paradigm veo 554cmscope:lteversion:2.7a

Trust: 1.0

vendor:medtronicmodel:minimed 508scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 715scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 712scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 511scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 512scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 522kscope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 722scope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm veo 754scope:lteversion:2.6a

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 722kscope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 712escope:eqversion:*

Trust: 1.0

vendor:medtronicmodel:minimed paradigm veo 554scope:lteversion:2.6a

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 723kscope:lteversion:2.4a

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 723scope:lteversion:2.4a

Trust: 1.0

vendor:medtronicmodel:minimed paradigm 523kscope:lteversion:2.4a

Trust: 1.0

vendor:medtronicmodel:minimed 508scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 511scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 512scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 515scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 522scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 522kscope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 712scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 712escope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 715scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm 722scope: - version: -

Trust: 0.8

vendor:medtronicmodel:minimed paradigm veo 554cm and 754cm models 2.7ascope: - version: -

Trust: 0.3

vendor:medtronicmodel:minimed paradigm veo pumps 2.6ascope:eqversion:554/754

Trust: 0.3

vendor:medtronicmodel:minimed paradigm 712e pumpscope:eqversion:0

Trust: 0.3

vendor:medtronicmodel:minimed paradigm 523k/723k pumps 2.4ascope: - version: -

Trust: 0.3

vendor:medtronicmodel:minimed paradigm pumps 2.4ascope:eqversion:523/723

Trust: 0.3

vendor:medtronicmodel:minimed paradigm 522k/722k pumpsscope:eqversion:0

Trust: 0.3

vendor:medtronicmodel:minimed paradigm pumpsscope:eqversion:522/7220

Trust: 0.3

vendor:medtronicmodel:minimed paradigm pumpsscope:eqversion:515/7150

Trust: 0.3

vendor:medtronicmodel:minimed paradigm pumpsscope:eqversion:512/7120

Trust: 0.3

vendor:medtronicmodel:minimed paradigm pumpscope:eqversion:5110

Trust: 0.3

vendor:medtronicmodel:minimed pumpscope:eqversion:5080

Trust: 0.3

sources: BID: 108926 // JVNDB: JVNDB-2019-006089 // NVD: CVE-2019-10964

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10964
value: HIGH

Trust: 1.0

NVD: CVE-2019-10964
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-1080
value: HIGH

Trust: 0.6

VULHUB: VHN-142563
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10964
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-142563
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-10964
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-142563 // JVNDB: JVNDB-2019-006089 // CNNVD: CNNVD-201906-1080 // NVD: CVE-2019-10964

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.1

problemtype:CWE-863

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-142563 // JVNDB: JVNDB-2019-006089 // NVD: CVE-2019-10964

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201906-1080

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201906-1080

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006089

PATCH

title:Top Pageurl:http://www.medtronicdiabetes.com/home

Trust: 0.8

sources: JVNDB: JVNDB-2019-006089

EXTERNAL IDS

db:NVDid:CVE-2019-10964

Trust: 2.8

db:ICS CERTid:ICSMA-19-178-01

Trust: 2.8

db:BIDid:108926

Trust: 2.0

db:JVNDBid:JVNDB-2019-006089

Trust: 0.8

db:CNNVDid:CNNVD-201906-1080

Trust: 0.7

db:AUSCERTid:ESB-2019.2351

Trust: 0.6

db:VULHUBid:VHN-142563

Trust: 0.1

sources: VULHUB: VHN-142563 // BID: 108926 // JVNDB: JVNDB-2019-006089 // CNNVD: CNNVD-201906-1080 // NVD: CVE-2019-10964

REFERENCES

url:https://www.us-cert.gov/ics/advisories/icsma-19-178-01

Trust: 2.8

url:http://www.securityfocus.com/bid/108926

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-10964

Trust: 1.4

url:https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/medtronic_security_bulletin_diabetes_paradigm_062719_final.pdf

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10964

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.2351/

Trust: 0.6

url:https://www.medtronic.com

Trust: 0.3

sources: VULHUB: VHN-142563 // BID: 108926 // JVNDB: JVNDB-2019-006089 // CNNVD: CNNVD-201906-1080 // NVD: CVE-2019-10964

CREDITS

Nathanael Paul, Jay Radcliffe, Barnaby Jack, Jonathan Butts and Jesse Young, Billy Rios, Medtronic., Jonathan Butts, and Jesse Young

Trust: 0.6

sources: CNNVD: CNNVD-201906-1080

SOURCES

db:VULHUBid:VHN-142563
db:BIDid:108926
db:JVNDBid:JVNDB-2019-006089
db:CNNVDid:CNNVD-201906-1080
db:NVDid:CVE-2019-10964

LAST UPDATE DATE

2024-11-23T22:06:09.954000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-142563date:2020-08-24T00:00:00
db:BIDid:108926date:2019-06-27T00:00:00
db:JVNDBid:JVNDB-2019-006089date:2019-07-09T00:00:00
db:CNNVDid:CNNVD-201906-1080date:2020-08-25T00:00:00
db:NVDid:CVE-2019-10964date:2024-11-21T04:20:15.397

SOURCES RELEASE DATE

db:VULHUBid:VHN-142563date:2019-06-28T00:00:00
db:BIDid:108926date:2019-06-27T00:00:00
db:JVNDBid:JVNDB-2019-006089date:2019-07-09T00:00:00
db:CNNVDid:CNNVD-201906-1080date:2019-06-28T00:00:00
db:NVDid:CVE-2019-10964date:2019-06-28T21:15:11.007