CVE-2018-5446

Published: May 4, 2018Modified: May 22, 2025

5.3

Vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 0.9 / Impact: 4.0

Source: NVD

Description

Medtronic 2090 CareLink Programmer uses a per-product username and password that is stored in a recoverable format.

Affected (1)

Products: Medtronic: 2090 Carelink Programmer Firmware

1 product

2090 Carelink Programmer Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Medtronic 2090 Carelink Programmer Firmware	All versions

Running on/with	Platform Versions
Medtronic 2090 Carelink Programmer	All versions

Related CWEs

Storing Passwords in a Recoverable Format

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (3)

https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-2090-29901.html

Source: ics-cert@hq.dhs.gov

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-058-01

Source: ics-cert@hq.dhs.gov

https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.