CVE-2018-10622 - OpenCVE

A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected products use per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest.

No CVSS v4.0

No CVSS v3.1

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Medtronic	Mycarelink 24950 Patient Monitor Mycarelink 24950 Patient Monitor Firmware Mycarelink 24952 Patient Monitor Mycarelink 24952 Patient Monitor Firmware

Configuration 1 [-]

AND

cpe:2.3:o:medtronic:mycarelink_24952_patient_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:mycarelink_24952_patient_monitor:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:medtronic:mycarelink_24950_patient_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:mycarelink_24950_patient_monitor:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/105042
https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2018-08-10T18:00:00Z

Updated: 2024-09-16T18:43:40.859Z

Reserved: 2018-05-01T00:00:00

Link: CVE-2018-10622

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-08-10T18:29:00.230

Modified: 2019-10-09T23:32:56.477

Link: CVE-2018-10622

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Medtronic MyCareLink 24950, 24952 Patient Monitor", "vendor": "ICS-CERT", "versions": [{"status": "affected", "version": "All versions"}]}], "datePublic": "2018-08-07T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected products use per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-257", "description": "STORING PASSWORDS IN A RECOVERABLE FORMAT CWE-257", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-08-11T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "105042", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105042"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2018-08-07T00:00:00", "ID": "CVE-2018-10622", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Medtronic MyCareLink 24950, 24952 Patient Monitor", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "ICS-CERT"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected products use per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "STORING PASSWORDS IN A RECOVERABLE FORMAT CWE-257"}]}]}, "references": {"reference_data": [{"name": "105042", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105042"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:46:47.036Z"}, "title": "CVE Program Container", "references": [{"name": "105042", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105042"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-10622", "datePublished": "2018-08-10T18:00:00Z", "dateReserved": "2018-05-01T00:00:00", "dateUpdated": "2024-09-16T18:43:40.859Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:mycarelink_24952_patient_monitor_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A4008DB3-E151-41BA-A308-7BE733268845", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:mycarelink_24952_patient_monitor:-:*:*:*:*:*:*:*", "matchCriteriaId": "60267DCC-89D0-48E3-B6EB-9AD60DC1F16F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:mycarelink_24950_patient_monitor_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "8AACDB33-1EC3-44E1-8C1C-38C766E85F85", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:mycarelink_24950_patient_monitor:-:*:*:*:*:*:*:*", "matchCriteriaId": "BCDA4070-6CDD-42CA-A4A8-DA6B0E98C64D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected products use per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad en todas las versiones de Medtronic MyCareLink Patient Monitor 24950 y 24952. Los productos afectados emplean credenciales por producto que se almacenan en un formato recuperable. Un atacante puede emplear estas credenciales para autenticarse en red y cifrar datos locales en reposo."}], "id": "CVE-2018-10622", "lastModified": "2019-10-09T23:32:56.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-10T18:29:00.230", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105042"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-257"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}