CVE-2018-8870

Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.

CVSS v3 6.4 MEDIUM
CVSS v2.0 7.2 HIGH

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html
https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01	Third Party Advisory US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-07-03 01:29

Updated : 2025-05-22 19:15

NVD link : CVE-2018-8870

Mitre link : CVE-2018-8870

CVE.ORG link : CVE-2018-8870

JSON object : View

Products Affected

medtronic

24950_mycarelink_monitor_firmware
24952_mycarelink_monitor_firmware
24952_mycarelink_monitor
24950_mycarelink_monitor

CWE

CWE-259

Use of Hard-coded Password

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2018-8870", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": true, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}], "cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}]}, "published": "2018-07-03T01:29:01.940", "references": [{"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html", "source": "[email protected]"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "[email protected]"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-259"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."}, {"lang": "es", "value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor en todas sus versiones y 24952 MyCareLink Monitor en todas su versiones, contienen una contrase\u00f1a de sistema operativo embebida. Un atacante con acceso f\u00edsico puede retirar la carcasa del dispositivo, conectarse al puerto de depuraci\u00f3n y usar la contrase\u00f1a para obtener acceso privilegiado al sistema operativo."}], "lastModified": "2025-05-22T19:15:22.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "778EB98D-C77A-4C81-B7AD-848C335B850D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D8F046CD-32D6-44D1-AB08-D81B3942CB78"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C9FE79C-C221-4E6B-A687-74A5D7A85EFA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F2B146EC-2D18-430C-81B5-6F7D4328BB91"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}