There are vulnerabilities in Medtronic’s 2090 CareLink Programmer and its accompanying software deployment network, according to a report with ICS-CERT.
The CareLink programmer is a portable computer system used by trained personnel to program and manage cardiac devices in the clinic and procedure room. Medtronic has not developed a product update to address these vulnerabilities, but has identified compensating controls within this advisory to help reduce the risk associated with these vulnerabilities.
All versions of 2090 CareLink Programmer suffer from the vulnerabilities, discovered by researchers Billy Rios and Jonathan Butts of Whitescope LLC.
Successful exploitation of these vulnerabilities may allow an attacker with physical access to a 2090 Programmer to obtain per-product credentials to the software deployment network. These credentials grant access to the software deployment network, but access is limited to read-only versions of device software applications. No write capability exists with the credentials.
Medtronic has assessed the vulnerabilities and determined existing controls are sufficient.
Medtronic is a medical technology, services, and solutions company headquartered in Dublin, Ireland, and maintains offices around the world.
The affected product, the Medtronic CareLink 2090 Programmer, is used by trained personnel at hospitals and clinics to program and manage Medtronic cardiac devices. According to Medtronic, 2090 CareLink Programmers are deployed across the Healthcare and Public Health sector. These programmers are used worldwide.
In one vulnerability, the affected product uses a per-product username and password that is stored in a recoverable format.
CVE-2018-5446 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.9.
In addition, the affected product’s software deployment network contains a directory traversal vulnerability that could allow an attacker to read files on the system.
CVE-2018-5448 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.8.
No known public exploits specifically target these vulnerabilities. These vulnerabilities could not be exploited remotely. An attacker with high skill would be able to exploit these vulnerabilities.
Medtronic has assessed the vulnerabilities and determined that no new potential safety risks were identified. In order to enhance system security, Medtronic added periodic integrity checks for files associated with the software deployment network. Additionally, Medtronic has developed server-side security changes that further enhance security. Medtronic said they will not be issuing a product update; however, Medtronic has identified compensating controls within this advisory to reduce the risk of exploitation and reiterates the following from the CareLink 2090 Programmer Reference Manual:
• Maintain good physical controls over the programmer. Having a secure physical environment prevents access to the internals of the programmer.
• Only connect the programmer to managed, secure networks.
• Update the software on the programmer when Medtronic updates are available.
Medtronic released a security bulletin for the 2090 CareLink Programmer, which is available, with contact information.