CVE-2018-8870 - OpenCVE

Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Medtronic	24952 Mycarelink Monitor Firmware 24950 Mycarelink Monitor Firmware 24952 Mycarelink Monitor 24950 Mycarelink Monitor

Configuration 1 [-]

AND

cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2018-06-29T00:00:00

Updated: 2018-07-02T17:57:01

Reserved: 2018-03-20T00:00:00

Link: CVE-2018-8870

JSON object: View

NVD Information

Status : Modified

Published: 2018-07-03T01:29:01.940

Modified: 2019-10-09T23:42:59.847

Link: CVE-2018-8870

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Medtronic MyCareLink Patient Monitor", "vendor": "ICS-CERT", "versions": [{"status": "affected", "version": "24950 MyCareLink Monitor, all versions, 24952 MyCareLink Monitor, all versions."}]}], "datePublic": "2018-06-29T00:00:00", "descriptions": [{"lang": "en", "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-259", "description": "USE OF HARD-CODED PASSWORD CWE-259", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-02T17:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2018-06-29T00:00:00", "ID": "CVE-2018-8870", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Medtronic MyCareLink Patient Monitor", "version": {"version_data": [{"version_value": "24950 MyCareLink Monitor, all versions, 24952 MyCareLink Monitor, all versions."}]}}]}, "vendor_name": "ICS-CERT"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "USE OF HARD-CODED PASSWORD CWE-259"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-8870", "datePublished": "2018-06-29T00:00:00", "dateReserved": "2018-03-20T00:00:00", "dateUpdated": "2018-07-02T17:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "778EB98D-C77A-4C81-B7AD-848C335B850D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*", "matchCriteriaId": "D8F046CD-32D6-44D1-AB08-D81B3942CB78", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "2C9FE79C-C221-4E6B-A687-74A5D7A85EFA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2B146EC-2D18-430C-81B5-6F7D4328BB91", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."}, {"lang": "es", "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor en todas sus versiones y 24952 MyCareLink Monitor en todas su versiones, contienen una contrase\u00f1a de sistema operativo embebida. Un atacante con acceso f\u00edsico puede retirar la carcasa del dispositivo, conectarse al puerto de depuraci\u00f3n y usar la contrase\u00f1a para obtener acceso privilegiado al sistema operativo."}], "id": "CVE-2018-8870", "lastModified": "2019-10-09T23:42:59.847", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-03T01:29:01.940", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-259"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}