MidnightBSD

Advisories for biotronik

CVE-2019-18246 LOW

BIOTRONIK CardioMessenger II, The affected products do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
biotronik cardiomessenger_ii-s_t-line_firmware 2.20
biotronik cardiomessenger_ii-s_gsm_firmware 2.20
CVE-2019-18248 LOW

BIOTRONIK CardioMessenger II, The affected products transmit credentials in clear-text prior to switching to an encrypted communication channel. An attacker can disclose the product’s client credentials for connecting to the BIOTRONIK Remote Communication infrastructure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
biotronik cardiomessenger_ii-s_t-line_firmware 2.20
biotronik cardiomessenger_ii-s_gsm_firmware 2.20
CVE-2019-18252 LOW

BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
biotronik cardiomessenger_ii-s_t-line_firmware 2.20
biotronik cardiomessenger_ii-s_gsm_firmware 2.20
CVE-2019-18254 LOW

BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.9 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-311,CWE-312,

Products Affected

Vendor Product Version
biotronik cardiomessenger_ii-s_t-line_firmware 2.20
biotronik cardiomessenger_ii-s_gsm_firmware 2.20
CVE-2019-18256 LOW

BIOTRONIK CardioMessenger II, The affected products use individual per-device credentials that are stored in a recoverable format. An attacker with physical access to the CardioMessenger can use these credentials for network authentication and decryption of local data in transit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.9 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-257,CWE-522,

Products Affected

Vendor Product Version
biotronik cardiomessenger_ii-s_t-line_firmware 2.20
biotronik cardiomessenger_ii-s_gsm_firmware 2.20