Vulnerability Description
Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Medtronicdiabetes | 508 Minimed Insulin Pump Firmware | - |
| Medtronicdiabetes | 508 Minimed Insulin Pump | - |
| Medtronicdiabetes | 522 Paradigm Real-Time Firmware | - |
| Medtronicdiabetes | 522 Paradigm Real-Time | - |
| Medtronicdiabetes | 722 Paradigm Real-Time Firmware | - |
| Medtronicdiabetes | 722 Paradigm Real-Time | - |
| Medtronicdiabetes | 523 Paradigm Revel Firmware | - |
| Medtronicdiabetes | 523 Paradigm Revel | - |
| Medtronicdiabetes | 723 Paradigm Revel Firmware | - |
| Medtronicdiabetes | 723 Paradigm Revel | - |
| Medtronicdiabetes | 523K Paradigm Revel Firmware | - |
| Medtronicdiabetes | 523K Paradigm Revel | - |
| Medtronicdiabetes | 723K Paradigm Revel Firmware | - |
| Medtronicdiabetes | 723K Paradigm Revel | - |
| Medtronicdiabetes | 551 Minimed 530G Firmware | - |
| Medtronicdiabetes | 551 Minimed 530G | - |
| Medtronicdiabetes | 751 Minimed 530G Firmware | - |
| Medtronicdiabetes | 751 Minimed 530G | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/105044Third Party AdvisoryVDB Entry
- https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed.h
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/105044Third Party AdvisoryVDB Entry
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2018-14781?
CVE-2018-14781 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacke...
How severe is CVE-2018-14781?
CVE-2018-14781 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-14781?
Check the references section above for vendor advisories and patch information. Affected products include: Medtronicdiabetes 508 Minimed Insulin Pump Firmware, Medtronicdiabetes 508 Minimed Insulin Pump, Medtronicdiabetes 522 Paradigm Real-Time Firmware, Medtronicdiabetes 522 Paradigm Real-Time, Medtronicdiabetes 722 Paradigm Real-Time Firmware.