Rewterz Threat Advisory – CVE-2019-18426 – WhatsApp Bug Allows Malicious Code-Injection
February 6, 2020Rewterz Threat Alert – MINEBRIDGE Targets Finance Sector
February 7, 2020Rewterz Threat Advisory – CVE-2019-18426 – WhatsApp Bug Allows Malicious Code-Injection
February 6, 2020Rewterz Threat Alert – MINEBRIDGE Targets Finance Sector
February 7, 2020Severity
High
Analysis Summary
CVE-2019-6538
The Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.
CVE-2019-6540
The Conexus telemetry protocol utilized within this ecosystem does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.
Impact
- Improper Access Control
- Cleartext Transmission of Sensitive Information
Affected Vendors
Medtronic
Affected Products
MyCareLink Monitor
CareLink Monitor
CareLink 2090 Programmer
specific Medtronic implanted cardiac devices
Remediation
For the list of more affected products, please refer to ICS advisory: