CVE-2017-5149 - OpenCVE

An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Abbott	Merlin\@home Ex1100 Merlin\@home Ex1150 Merlin\@home Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:h:abbott:merlin\@home_ex1100:-:::::::*
	cpe:2.3:h:abbott:merlin\@home_ex1150:-:::::::*

cpe:2.3:o:abbott:merlin\@home_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/95331
https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2017-02-13T22:00:00

Updated: 2024-08-05T14:55:34.850Z

Reserved: 2017-01-03T00:00:00

Link: CVE-2017-5149

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-02-13T22:59:00.303

Modified: 2023-06-26T19:38:41.247

Link: CVE-2017-5149

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "St. Jude Merlin@home Transmitter before 8.2.2", "vendor": "n/a", "versions": [{"status": "affected", "version": "St. Jude Merlin@home Transmitter before 8.2.2"}]}], "datePublic": "2017-02-13T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints."}], "problemTypes": [{"descriptions": [{"description": "St. Jude Merlin@home Transmitter Vulnerability MITM", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-14T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "95331", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95331"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-5149", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "St. Jude Merlin@home Transmitter before 8.2.2", "version": {"version_data": [{"version_value": "St. Jude Merlin@home Transmitter before 8.2.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "St. Jude Merlin@home Transmitter Vulnerability MITM"}]}]}, "references": {"reference_data": [{"name": "95331", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95331"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:55:34.850Z"}, "title": "CVE Program Container", "references": [{"name": "95331", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95331"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-5149", "datePublished": "2017-02-13T22:00:00", "dateReserved": "2017-01-03T00:00:00", "dateUpdated": "2024-08-05T14:55:34.850Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:abbott:merlin\\@home_ex1100:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D96349E-317D-4A53-81A3-1FFFDA942A36", "vulnerable": false}, {"criteria": "cpe:2.3:h:abbott:merlin\\@home_ex1150:-:*:*:*:*:*:*:*", "matchCriteriaId": "E1E96A4A-6163-4EE7-A756-B751D0B0C7B9", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:abbott:merlin\\@home_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB01C075-4332-4FDA-94DE-64EFA3C7829D", "versionEndIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints."}, {"lang": "es", "value": "Ha sido descubierto un problema en St. Jude Medical Merlin@home, versiones anteriores a la versi\u00f3n 8.2.2 (modelos RF: EX1150, modelos inductivos: EX1100 y modelos inductivos: EX1100 con capacidad MerlinOnDemand). No se verifican las identidades de los puntos finales para el canal de comunicaci\u00f3n entre el transmisor y el sitio web de St. Jude Medical, Merlin.net. Esto puede permitir que un atacante man-in-the-middle acceda o influya en las comunicaciones entre los puntos finales identificados."}], "id": "CVE-2017-5149", "lastModified": "2023-06-26T19:38:41.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-13T22:59:00.303", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95331"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}