CVE-2017-5149 - OpenCVE

An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Abbott	Merlin\@home Ex1100 Merlin\@home Firmware Merlin\@home Ex1150

Configuration 1 [-]

AND

cpe:2.3:o:abbott:merlin\@home_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:abbott:merlin\@home_ex1100:-:::::::*
	cpe:2.3:h:abbott:merlin\@home_ex1150:-:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/95331	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A	Mitigation Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-02-13T22:00:00

Updated: 2017-02-14T10:57:01

Reserved: 2017-01-03T00:00:00

Link: CVE-2017-5149

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-02-13T22:59:00.303

Modified: 2023-06-26T19:38:41.247

Link: CVE-2017-5149

JSON object: View

Redhat Information

No data.

CWE

CWE-476

{"containers": {"cna": {"affected": [{"product": "St. Jude Merlin@home Transmitter before 8.2.2", "vendor": "n/a", "versions": [{"status": "affected", "version": "St. Jude Merlin@home Transmitter before 8.2.2"}]}], "datePublic": "2017-02-13T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints."}], "problemTypes": [{"descriptions": [{"description": "St. Jude Merlin@home Transmitter Vulnerability MITM", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-14T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "95331", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95331"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-5149", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "St. Jude Merlin@home Transmitter before 8.2.2", "version": {"version_data": [{"version_value": "St. Jude Merlin@home Transmitter before 8.2.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "St. Jude Merlin@home Transmitter Vulnerability MITM"}]}]}, "references": {"reference_data": [{"name": "95331", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95331"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-5149", "datePublished": "2017-02-13T22:00:00", "dateReserved": "2017-01-03T00:00:00", "dateUpdated": "2017-02-14T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:abbott:merlin\\@home_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB01C075-4332-4FDA-94DE-64EFA3C7829D", "versionEndIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:abbott:merlin\\@home_ex1100:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D96349E-317D-4A53-81A3-1FFFDA942A36", "vulnerable": false}, {"criteria": "cpe:2.3:h:abbott:merlin\\@home_ex1150:-:*:*:*:*:*:*:*", "matchCriteriaId": "E1E96A4A-6163-4EE7-A756-B751D0B0C7B9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints."}, {"lang": "es", "value": "Ha sido descubierto un problema en St. Jude Medical Merlin@home, versiones anteriores a la versi\u00f3n 8.2.2 (modelos RF: EX1150, modelos inductivos: EX1100 y modelos inductivos: EX1100 con capacidad MerlinOnDemand). No se verifican las identidades de los puntos finales para el canal de comunicaci\u00f3n entre el transmisor y el sitio web de St. Jude Medical, Merlin.net. Esto puede permitir que un atacante man-in-the-middle acceda o influya en las comunicaciones entre los puntos finales identificados."}], "id": "CVE-2017-5149", "lastModified": "2023-06-26T19:38:41.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-13T22:59:00.303", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95331"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}