Today the DHS ICS-CERT published one control system security
advisory for products from Delta Electronics and two medical device security
advisories for products from Medtronic.
Delta Advisory
This advisory
describes two vulnerabilities in the Delta CNCSoft and ScreenEditor products.
The vulnerability was reported by Mat Powell via the Zero Day Initiative. Delta
has an updated version of CNCSoft that mitigates the vulnerabilities. There is
no indication that Powell was provided an opportunity to verify the efficacy of
the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-10636;
and
• Out-of-bounds read - CVE-2018-10598
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to gain remote code execution with
administrator privileges.
MiniMed Advisory
This advisory
describes two vulnerabilities in the Medtronic MiniMed 508 Insulin Pump. The
vulnerabilities were reported by Billy Rios, Jesse Young, and Jonathan Butts of
Whitescope LLC. Medtronic does not intend to develop a mitigation for these
vulnerabilities (see note below).
The two reported vulnerabilities are:
• Cleartext transmission of
sensitive information - CVE-2018-10634; and
• Authentication bypass by capture
replay - CVE-2018-14781
ICS-CERT reports that an uncharacterized attacker could
remotely exploit these vulnerabilities to allow an attacker to replay captured
wireless communications and cause an insulin (bolus) delivery.
NOTE: The Medtronic security
advisory reports that the following must occur for these vulnerabilities to
be exploited:
1. The remote option for the pump
would need to be enabled. This is not a factory-delivered default, and a user
must choose this option.
2. The user’s remote controller ID
needs to be registered to the pump.
3. The easy bolus option would need
to be turned on and easy bolus step size programmed in the pump.
4. An unauthorized individual would
need to be within close proximity to the user, with
necessary equipment to copy the RF
signals activated, when the user is delivering a bolus
using the remote controller.
5. The unauthorized individual
would need to be within the vicinity of the userto play back the RF signals to
deliver a malicious remote bolus.
6. The user would need to ignore
the pump alerts, which indicates that a remote bolus is being delivered.
MyCareLink Advisory
This advisory
describes two vulnerabilities in the Medtronic MyCareLink Patient Monitor. The
vulnerabilities were reported by Billy Rios, Jesse Young, and Jonathan Butts of
Whitescope LLC. Medtronic is making (has made for one of the vulnerabilities)
server side updates to mitigate the vulnerabilities. There is no indication
that the researchers have been provided an opportunity to verify the efficacy
of the fix.
The two reported vulnerabilities are:
• Insufficient verification of data
authenticity - CVE-2018-10626; and
• Storing passwords in a recoverable
format - CVE-2018-10622
ICS-CERT reports that an uncharacterized attacker with
physical access to the device could exploit the vulnerabilities to obtain
per-product credentials that are utilized to authenticate data uploads and
encrypt data at rest. Additionally, an attacker with access to a set of these
credentials and additional identifiers can upload invalid data to the Medtronic
CareLink network.
Posts
No comments:
Post a Comment