Medtronic 2090 Carelink Programmer Vulnerabilities (Update C)

MonitorCVSS 7.1ICS-CERT ICSMA-18-058-01Feb 27, 2018

Medtronic

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Vulnerabilities in the Medtronic 2090 CareLink Programmer and 29901 Encore Programmer allow an attacker with physical access to extract embedded credentials that provide access to Medtronic's software deployment network. These credentials currently grant read-only access to device software applications. The vulnerabilities affect file integrity and credential management. Medtronic has determined no new safety risks were identified. The vendor will not issue product updates but has disabled the network-based software update mechanism and implemented server-side security changes as mitigations.

What this means

What could happen

An attacker with physical access to the programmer could extract credentials used to access Medtronic's software deployment network, potentially enabling unauthorized software download or deployment. While currently limited to read-only access, this could compromise the integrity of device software updates.

Who's at risk

Medical device technicians and biomedical engineers at hospitals and cardiac care centers who deploy and maintain Medtronic 2090 CareLink Programmers and 29901 Encore Programmers used for patient device programming and monitoring.

How it could be exploited

An attacker with physical access to a 2090 or Encore programmer can extract embedded credentials from the device that provide access to Medtronic's software deployment network. The attacker uses these credentials to authenticate to the deployment system, gaining read-only access to device software repositories.

Prerequisites

Physical access to the 2090 CareLink Programmer or 29901 Encore Programmer device
Knowledge of credential extraction techniques
Network access to Medtronic's software deployment network

No patch availableRequires physical access (reduces risk)Affects medical device update infrastructureCredentials could enable unauthorized software access

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

2090 CareLink Programmer: all versionsAll versionsNo fix (EOL)

29901 Encore Programmer: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable network-based software update mechanisms (VPN and HTTP subservices) on affected programmers

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDObtain and apply security updates only via controlled USB dongles from Medtronic Technical Services (contact 800-638-1991)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: 2090 CareLink Programmer: all versions, 29901 Encore Programmer: all versions. Apply the following compensating controls:

HARDENINGImplement physical access controls to limit unauthorized handling of 2090 and Encore programmers

HARDENINGRestrict network access to devices to ensure they cannot reach external networks without authorization

CVEs (3)

CVE-2018-5446 CVE-2018-5448 CVE-2018-10596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/78a21613-92ed-4e3f-83e5-3efff1cf4b08

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.