CVE-2018-18984

Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.

CVSS v3 4.6 MEDIUM
CVSS v2.0 2.1 LOW

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/106215	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:medtronic:carelink_2090_programmer_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:carelink_2090_programmer:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:h:medtronic:carelink_9790_programmer:-:*:*:*:*:*:*:*

cpe:2.3:o:medtronic:carelink_9790_programmer_firmware:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:h:medtronic:29901_encore_programmer:-:*:*:*:*:*:*:*

cpe:2.3:o:medtronic:29901_encore_programmer_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-12-14 15:29

Updated : 2020-09-18 16:54

NVD link : CVE-2018-18984

Mitre link : CVE-2018-18984

CVE.ORG link : CVE-2018-18984

JSON object : View

Products Affected

medtronic

29901_encore_programmer
carelink_2090_programmer
carelink_9790_programmer_firmware
carelink_9790_programmer
29901_encore_programmer_firmware
carelink_2090_programmer_firmware

CWE

CWE-312

Cleartext Storage of Sensitive Information

CWE-311

Missing Encryption of Sensitive Data

{"id": "CVE-2018-18984", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}]}, "published": "2018-12-14T15:29:00.700", "references": [{"url": "http://www.securityfocus.com/bid/106215", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI."}, {"lang": "es", "value": "Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, en todas las versiones. Los productos afectados no cifran, o no cifran lo suficiente la siguiente informaci\u00f3n sensible PII y PHI cuando est\u00e1 en reposo."}], "lastModified": "2020-09-18T16:54:07.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:carelink_2090_programmer_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E80013FE-B9BD-456F-85D3-41C5532AD948"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:carelink_2090_programmer:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7DAB7778-4921-4953-ACAA-ADE2DD773B0D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:carelink_9790_programmer:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "97833F56-AD06-42B5-96CF-39551807EDAA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:carelink_9790_programmer_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74F4132F-F114-4F2D-9ED8-1A6025F3CBF0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:29901_encore_programmer:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1A94C34F-2334-40CF-867E-F1FD884F46BE"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:29901_encore_programmer_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D51AA0-C5D7-472E-A95F-5087BAA30B08"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}