CVE-2019-10964 — HIGH (7.1)

Vulnerability Description

Medtronic MiniMed Insulin Pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Medtronic	Minimed 508 Firmware	All versions
Medtronic	Minimed 508	-
Medtronic	Minimed Paradigm 511 Firmware	All versions
Medtronic	Minimed Paradigm 511	-
Medtronic	Minimed Paradigm 512 Firmware	All versions
Medtronic	Minimed Paradigm 512	-
Medtronic	Minimed Paradigm 712 Firmware	All versions
Medtronic	Minimed Paradigm 712	-
Medtronic	Minimed Paradigm 712E Firmware	All versions
Medtronic	Minimed Paradigm 712E	-
Medtronic	Minimed Paradigm 515 Firmware	All versions
Medtronic	Minimed Paradigm 515	-
Medtronic	Minimed Paradigm 715 Firmware	All versions
Medtronic	Minimed Paradigm 715	-
Medtronic	Minimed Paradigm 522 Firmware	All versions
Medtronic	Minimed Paradigm 522	-
Medtronic	Minimed Paradigm 722 Firmware	All versions
Medtronic	Minimed Paradigm 722	-
Medtronic	Minimed Paradigm 522K Firmware	All versions
Medtronic	Minimed Paradigm 522K	-

Related Weaknesses (CWE)

CWE-287 CWE-284 CWE-863

References

http://www.securityfocus.com/bid/108926Third Party AdvisoryVDB Entry
https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed-5
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-178-01
http://www.securityfocus.com/bid/108926Third Party AdvisoryVDB Entry
https://www.us-cert.gov/ics/advisories/icsma-19-178-01Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2019-10964?

CVE-2019-10964 is a vulnerability with a CVSS score of 7.1 (HIGH). Medtronic MiniMed Insulin Pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless...

How severe is CVE-2019-10964?

CVE-2019-10964 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-10964?

Check the references section above for vendor advisories and patch information. Affected products include: Medtronic Minimed 508 Firmware, Medtronic Minimed 508, Medtronic Minimed Paradigm 511 Firmware, Medtronic Minimed Paradigm 511, Medtronic Minimed Paradigm 512 Firmware.