Medtronic has an update to a previous series of vulnerabilities in its 2090 CareLink Programmer, according to a report with NCCIC.
The vulnerabilities, discovered by researchers Billy Rios and Jonathan Butts of Whitescope LLC, are a storing passwords in a recoverable format, relative path traversal, and an improper restriction of communication channel to intended endpoints. This updated advisory is a follow-up to the original advisory released Feb. 27.
Successful exploitation of these vulnerabilities may allow an attacker with physical access to a 2090 Programmer to obtain per-product credentials to the software deployment network. These credentials grant access to the software deployment network, but access is limited to read-only versions of device software applications.
Additionally, successful exploitation of these vulnerabilities may allow an attacker with local network access to influence communications between the Programmer and the software deployment network.
A device used by trained personnel at hospitals and clinics to program and manage Medtronic cardiac devices, all version of the 2090 CareLink Programmer suffer from the issues.
In one vulnerability, the affected product uses a per-product username and password stored in a recoverable format.
CVE-2018-5446 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.9.
In addition, the affected product’s software deployment network contains a directory traversal vulnerability that could allow an attacker to read files on the system.
CVE-2018-5448 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.8.
Also, the affected product uses a virtual private network connection to securely download updates. The product does not verify it is still connected to this virtual private network before downloading updates. An attacker with local network access to the programmer could influence these communications.
CVE-2018-10596 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.1.
The product sees use mainly in the healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. High skill level is needed to exploit.
Dublin, Ireland-based Medtronic assessed the vulnerabilities and determined that no new potential safety risks were identified. In order to enhance system security, Medtronic has added periodic integrity checks for files associated with the software deployment network.
Additionally, Medtronic has developed server-side security changes that further enhance security. Medtronic reports they will not be issuing a product update; however, Medtronic identified compensating controls within this advisory to reduce the risk of exploitation and reiterates the following from the CareLink 2090 Programmer Reference Manual:
• Maintain good physical controls over the programmer. Having a secure physical environment prevents access to the internals of the programmer.
• Only connect the programmer to managed, secure networks.
• Update the software on the programmer when Medtronic updates are available.
In addition, disconnect the programmer from the network. Network connectivity is not required for normal programmer operation.
Offline updates are available. Contact your Medtronic representative for more information.
Medtronic released a security bulletin for the 2090 CareLink Programmer, which is available, with contact information.