CVE-2019-18254

Published: Jun 29, 2020Modified: Nov 21, 2024

4.6

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.9 / Impact: 3.6

Source: NVD

Description

BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with.

Affected (2)

Products: Biotronik: Cardiomessenger Ii S Gsm Firmware, Cardiomessenger Ii S T Line Firmware

2 products

Cardiomessenger Ii S Gsm Firmware

Cardiomessenger Ii S T Line Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Biotronik Cardiomessenger Ii S Gsm Firmware	Version 2.20

Running on/with	Platform Versions
Biotronik Cardiomessenger Ii S Gsm	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Biotronik Cardiomessenger Ii S T Line Firmware	Version 2.20

Running on/with	Platform Versions
Biotronik Cardiomessenger Ii S T Line	All versions

Related CWEs

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References (2)

https://www.us-cert.gov/ics/advisories/icsma-20-170-05

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://www.us-cert.gov/ics/advisories/icsma-20-170-05

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.