CVE-2018-5446 - Vulnerability Details - OpenCVE

Medtronic 2090 CareLink Programmer uses a per-product username and password that is stored in a recoverable format.

No CVSS v4.0

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Medtronic	2090 Carelink Programmer 2090 Carelink Programmer Firmware

Configuration 1 [-]

AND

cpe:2.3:o:medtronic:2090_carelink_programmer_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:2090_carelink_programmer:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-2090-29901.html
https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-058-01

History

Thu, 22 May 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description	All versions of the Medtronic 2090 Carelink Programmer are affected by a per-product username and password that is stored in a recoverable format which could allow an attacker with physical access to a 2090 Programmer to obtain per-product credentials to the software deployment network.	Medtronic 2090 CareLink Programmer uses a per-product username and password that is stored in a recoverable format.
Title		Medtronic 2090 Carelink Programmer Storing Passwords in a Recoverable Format
References		https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-2090-29901.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-058-01
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2018-05-04T18:00:00Z

Updated: 2025-05-22T17:40:34.569Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5446

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-04T18:29:00.523

Modified: 2025-05-22T18:15:22.840

Link: CVE-2018-5446

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "2090 CareLink Programmer", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "All versions"}]}, {"defaultStatus": "unaffected", "product": "29901 Encore Programmer", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "All versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Billy Rios and Jonathan Butts of Whitescope LLC identified these vulnerabilities and reported them to CISA."}], "datePublic": "2018-06-29T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Medtronic 2090 CareLink Programmer \n\n<span style=\"background-color: rgb(255, 255, 255);\">uses a per-product username and password that is stored in a recoverable format. </span>\n\n\n\n</p>"}], "value": "Medtronic 2090 CareLink Programmer \n\nuses a per-product username and password that is stored in a recoverable format."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-257", "description": "CWE-257", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-05-22T17:40:34.569Z"}, "references": [{"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-2090-29901.html"}, {"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-058-01"}], "source": {"advisory": "ICSMA-18-058-01", "discovery": "EXTERNAL"}, "title": "Medtronic 2090 Carelink Programmer Storing Passwords in a Recoverable Format", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Medtronic has assessed the vulnerabilities and determined that no new potential safety risks were identified. In order to enhance system security, Medtronic has added periodic integrity checks for files associated with the software deployment network. Additionally, Medtronic has developed server-side security changes that further enhance security. Medtronic reports that they will not be issuing a product update; however, Medtronic has identified compensating controls within this advisory to reduce the risk of exploitation and reiterates the following from the CareLink 2090 Programmer Reference Manual:</p><ul><li>Maintain good physical controls over the programmer. Having a secure physical environment prevents access to the internals of the programmer.</li><li>Only connect the programmer to managed, secure networks.</li><li>Update the software on the programmer when Medtronic updates are available.</li><li>Alternatively, disconnect the programmer from the network. Network connectivity is not required for normal programmer operation. </li><li>Offline updates are available, contact your Medtronic representative for more information.</li></ul><p>Medtronic has deployed mitigating patches to address the reported vulnerabilities. Medtronic has also stated that they have increased security controls associated with these vulnerabilities. As a result of the available mitigating patches, Medtronic has re-enabled the network-based software update mechanism.</p><p>Medtronic has stated that the patch for affected products can be obtained by contacting Medtronic Technical Services at 800\u2011638\u20111991.<br></p><p>After additional review and risk evaluation of the affected products, Medtronic has disabled the network-based software update mechanism, including both the VPN and the HTTP subservices, as an immediate security mitigation. Users should not attempt to update the affected products over the network as this update mechanism is vulnerable to the attack described in section 4.2.3. Medtronic will continue to implement and deploy increased security protections and mitigations to address the vulnerabilities in this advisory.</p><p>Users should still obtain and apply updates via controlled USB dongles and should contact their Medtronic representative for more information.</p><p>Medtronic recommends that affected products continue to be used for their intended purpose in the previously described manner.<br><br>Medtronic has released a security bulletin for the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\">2090 CareLink Programmer</a>.</p>\n\n<br>"}], "value": "Medtronic has assessed the vulnerabilities and determined that no new potential safety risks were identified. In order to enhance system security, Medtronic has added periodic integrity checks for files associated with the software deployment network. Additionally, Medtronic has developed server-side security changes that further enhance security. Medtronic reports that they will not be issuing a product update; however, Medtronic has identified compensating controls within this advisory to reduce the risk of exploitation and reiterates the following from the CareLink 2090 Programmer Reference Manual:\n\n * Maintain good physical controls over the programmer. Having a secure physical environment prevents access to the internals of the programmer.\n * Only connect the programmer to managed, secure networks.\n * Update the software on the programmer when Medtronic updates are available.\n * Alternatively, disconnect the programmer from the network. Network connectivity is not required for normal programmer operation. \n * Offline updates are available, contact your Medtronic representative for more information.\n\n\nMedtronic has deployed mitigating patches to address the reported vulnerabilities. Medtronic has also stated that they have increased security controls associated with these vulnerabilities. As a result of the available mitigating patches, Medtronic has re-enabled the network-based software update mechanism.\n\nMedtronic has stated that the patch for affected products can be obtained by contacting Medtronic Technical Services at 800\u2011638\u20111991.\n\n\nAfter additional review and risk evaluation of the affected products, Medtronic has disabled the network-based software update mechanism, including both the VPN and the HTTP subservices, as an immediate security mitigation. Users should not attempt to update the affected products over the network as this update mechanism is vulnerable to the attack described in section 4.2.3. Medtronic will continue to implement and deploy increased security protections and mitigations to address the vulnerabilities in this advisory.\n\nUsers should still obtain and apply updates via controlled USB dongles and should contact their Medtronic representative for more information.\n\nMedtronic recommends that affected products continue to be used for their intended purpose in the previously described manner.\n\nMedtronic has released a security bulletin for the 2090 CareLink Programmer https://www.medtronic.com/security ."}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2018-06-29T00:00:00", "ID": "CVE-2018-10596", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Medtronic 2090 CareLink Programmer", "version": {"version_data": [{"version_value": "2090 CareLink Programmer, all versions."}]}}]}, "vendor_name": "ICS-CERT"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Medtronic 2090 CareLink Programmer all versions The affected product uses a virtual private network connection to securely download updates. The product does not verify it is still connected to this virtual private network before downloading updates. An attacker with local network access to the programmer could influence these communications."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER RESTRICTION OF COMMUNICATION CHANNEL TO INTENDED ENDPOINTS CWE-923"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:33:44.403Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-5446", "datePublished": "2018-05-04T18:00:00Z", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2025-05-22T17:40:34.569Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:2090_carelink_programmer_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "884B08DC-B6F9-4B34-9679-61C256437DF9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:2090_carelink_programmer:-:*:*:*:*:*:*:*", "matchCriteriaId": "215ED381-B433-4D05-97AD-4E7287E5820D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Medtronic 2090 CareLink Programmer \n\nuses a per-product username and password that is stored in a recoverable format."}, {"lang": "es", "value": "Todas las versiones de Medtronic 2090 Carelink Programmer se han visto afectadas por un nombre de usuario y una contrase\u00f1a per-product que est\u00e1n almacenadas en un formato recuperable que podr\u00eda permitir que un atacante con acceso f\u00edsico a un 090 Programmer obtenga credenciales per-product para la red de despliegue del software."}], "id": "CVE-2018-5446", "lastModified": "2025-05-22T18:15:22.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 4.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2018-05-04T18:29:00.523", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-2090-29901.html"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-058-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-257"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}