CVE-2019-6540 — MEDIUM (6.5)

Vulnerability Description

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Medtronic	Mycarelink Monitor 24950 Firmware	-
Medtronic	Mycarelink Monitor 24950	-
Medtronic	Mycarelink Monitor 24952 Firmware	-
Medtronic	Mycarelink Monitor 24952	-
Medtronic	Carelink Monitor 2490C Firmware	-
Medtronic	Carelink Monitor 2490C	-
Medtronic	Carelink 2090 Firmware	-
Medtronic	Carelink 2090	-
Medtronic	Amplia Crt-D Firmware	-
Medtronic	Amplia Crt-D	-
Medtronic	Claria Crt-D Firmware	-
Medtronic	Claria Crt-D	-
Medtronic	Compia Crt-D Firmware	-
Medtronic	Compia Crt-D	-
Medtronic	Concerto Crt-D Firmware	-
Medtronic	Concerto Crt-D	-
Medtronic	Concerto Ii Crt-D Firmware	-
Medtronic	Concerto Ii Crt-D	-
Medtronic	Consulta Crt-D Firmware	-
Medtronic	Consulta Crt-D	-

Related Weaknesses (CWE)

CWE-319

References

http://www.securityfocus.com/bid/107544Broken Link
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01Third Party AdvisoryUS Government Resource
http://www.securityfocus.com/bid/107544Broken Link
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2019-6540?

CVE-2019-6540 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D...

How severe is CVE-2019-6540?

CVE-2019-6540 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-6540?

Check the references section above for vendor advisories and patch information. Affected products include: Medtronic Mycarelink Monitor 24950 Firmware, Medtronic Mycarelink Monitor 24950, Medtronic Mycarelink Monitor 24952 Firmware, Medtronic Mycarelink Monitor 24952, Medtronic Carelink Monitor 2490C Firmware.