Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-18252 (GCVE-0-2019-18252)
Vulnerability from cvelistv5 – Published: 2020-06-29 13:58 – Updated: 2024-08-05 01:47
VLAI
EPSS
Summary
BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
Severity
No CVSS data available.
CWE
- CWE-287 - IMPROPER AUTHENTICATION CWE-287
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.us-cert.gov/ics/advisories/icsma-20-170-05 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM |
Affected:
CardioMessenger II-S T-Line T4APP 2.20, CardioMessenger II-S GSM T4APP 2.20
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "CardioMessenger II-S T-Line T4APP 2.20, CardioMessenger II-S GSM T4APP 2.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "IMPROPER AUTHENTICATION CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-29T13:58:25.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM",
"version": {
"version_data": [
{
"version_value": "CardioMessenger II-S T-Line T4APP 2.20, CardioMessenger II-S GSM T4APP 2.20"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER AUTHENTICATION CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18252",
"datePublished": "2020-06-29T13:58:25.000Z",
"dateReserved": "2019-10-22T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:47:14.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2019-18252",
"date": "2026-05-25",
"epss": "0.00049",
"percentile": "0.15165"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-18252\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2020-06-29T14:15:10.367\",\"lastModified\":\"2024-11-21T04:32:55.493\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.\"},{\"lang\":\"es\",\"value\":\"BIOTRONIK CardioMessenger II, los productos afectados permiten la reutilizaci\u00f3n de credenciales para m\u00faltiples prop\u00f3sitos de autenticaci\u00f3n. Un atacante con acceso adyacente al CardioMessenger puede revelar sus credenciales usadas para conectarse a la infraestructura de Comunicaci\u00f3n Remota de BIOTRONIK\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":3.3,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.5,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:biotronik:cardiomessenger_ii-s_gsm_firmware:2.20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"746B6724-81BF-4B3C-A8D0-1500CEF4C33D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:biotronik:cardiomessenger_ii-s_gsm:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB7CF213-9936-4A82-A06A-78126882B79C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:biotronik:cardiomessenger_ii-s_t-line_firmware:2.20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED47244B-1693-43BC-B01A-79200CEF6B93\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:biotronik:cardiomessenger_ii-s_t-line:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C75B7151-1853-4573-B20D-0AC269C30D6F\"}]}]}],\"references\":[{\"url\":\"https://www.us-cert.gov/ics/advisories/icsma-20-170-05\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsma-20-170-05\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
CNVD-2020-52056
Vulnerability from cnvd - Published: 2020-09-15
VLAI
Title
BIOTRONIK CardioMessenger II-S授权问题漏洞(CNVD-2020-52056)
Description
Biotronik CardioMessenger II-S是德国Biotronik公司的一款便携式医疗监控设备。
Biotronik CardioMessenger II-S T-Line T4APP 2.20版本和II-S GSM T4APP 2.20版本中存在授权问题漏洞,该漏洞源于程序为多个身份验证使用了相同的凭证。攻击者可利用该漏洞泄露用户凭据,连接到Biotronik Remote Communication设备。
Severity
低
Formal description
厂商尚未提供漏洞修复方案,请关注厂商主页更新: https://www.biotronik.com/
Reference
https://www.us-cert.gov/ics/advisories/icsma-20-170-05
Impacted products
| Name | ['BIOTRONIK CardioMessenger II-S T-Line T4APP 2.20', 'BIOTRONIK CardioMessenger II-S GSM T4APP 2.20'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-18252"
}
},
"description": "Biotronik CardioMessenger II-S\u662f\u5fb7\u56fdBiotronik\u516c\u53f8\u7684\u4e00\u6b3e\u4fbf\u643a\u5f0f\u533b\u7597\u76d1\u63a7\u8bbe\u5907\u3002\n\nBiotronik CardioMessenger II-S T-Line T4APP 2.20\u7248\u672c\u548cII-S GSM T4APP 2.20\u7248\u672c\u4e2d\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4e3a\u591a\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u4f7f\u7528\u4e86\u76f8\u540c\u7684\u51ed\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6cc4\u9732\u7528\u6237\u51ed\u636e\uff0c\u8fde\u63a5\u5230Biotronik Remote Communication\u8bbe\u5907\u3002",
"formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.biotronik.com/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-52056",
"openTime": "2020-09-15",
"products": {
"product": [
"BIOTRONIK CardioMessenger II-S T-Line T4APP 2.20",
"BIOTRONIK CardioMessenger II-S GSM T4APP 2.20"
]
},
"referenceLink": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05",
"serverity": "\u4f4e",
"submitTime": "2020-06-19",
"title": "BIOTRONIK CardioMessenger II-S\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2020-52056\uff09"
}
FKIE_CVE-2019-18252
Vulnerability from fkie_nvd - Published: 2020-06-29 14:15 - Updated: 2024-11-21 04:32
Severity
Summary
BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsma-20-170-05 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsma-20-170-05 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| biotronik | cardiomessenger_ii-s_gsm_firmware | 2.20 | |
| biotronik | cardiomessenger_ii-s_gsm | - | |
| biotronik | cardiomessenger_ii-s_t-line_firmware | 2.20 | |
| biotronik | cardiomessenger_ii-s_t-line | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:biotronik:cardiomessenger_ii-s_gsm_firmware:2.20:*:*:*:*:*:*:*",
"matchCriteriaId": "746B6724-81BF-4B3C-A8D0-1500CEF4C33D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:biotronik:cardiomessenger_ii-s_gsm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FB7CF213-9936-4A82-A06A-78126882B79C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:biotronik:cardiomessenger_ii-s_t-line_firmware:2.20:*:*:*:*:*:*:*",
"matchCriteriaId": "ED47244B-1693-43BC-B01A-79200CEF6B93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:biotronik:cardiomessenger_ii-s_t-line:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C75B7151-1853-4573-B20D-0AC269C30D6F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure."
},
{
"lang": "es",
"value": "BIOTRONIK CardioMessenger II, los productos afectados permiten la reutilizaci\u00f3n de credenciales para m\u00faltiples prop\u00f3sitos de autenticaci\u00f3n. Un atacante con acceso adyacente al CardioMessenger puede revelar sus credenciales usadas para conectarse a la infraestructura de Comunicaci\u00f3n Remota de BIOTRONIK"
}
],
"id": "CVE-2019-18252",
"lastModified": "2024-11-21T04:32:55.493",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-29T14:15:10.367",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-2F8F-GW52-M98C
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21
VLAI
Details
BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
{
"affected": [],
"aliases": [
"CVE-2019-18252"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-29T14:15:00Z",
"severity": "LOW"
},
"details": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.",
"id": "GHSA-2f8f-gw52-m98c",
"modified": "2022-05-24T17:21:57Z",
"published": "2022-05-24T17:21:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18252"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2019-18252
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-18252",
"description": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.",
"id": "GSD-2019-18252"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-18252"
],
"details": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.",
"id": "GSD-2019-18252",
"modified": "2023-12-13T01:23:50.415608Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM",
"version": {
"version_data": [
{
"version_value": "CardioMessenger II-S T-Line T4APP 2.20, CardioMessenger II-S GSM T4APP 2.20"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER AUTHENTICATION CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:biotronik:cardiomessenger_ii-s_gsm_firmware:2.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:biotronik:cardiomessenger_ii-s_gsm:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:biotronik:cardiomessenger_ii-s_t-line_firmware:2.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:biotronik:cardiomessenger_ii-s_t-line:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18252"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2021-04-06T17:16Z",
"publishedDate": "2020-06-29T14:15Z"
}
}
}
ICSMA-20-170-05
Vulnerability from csaf_cisa - Published: 2020-06-18 00:00 - Updated: 2020-06-18 00:00Summary
BIOTRONIK CardioMessenger II
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation: Successful exploitation of these vulnerabilities could allow an attacker with physical access to the CardioMessenger to obtain sensitive data, obtain transmitted medical data from implanted cardiac devices with the implant 's serial number or impact Cardio Messenger II product functionality. Successful exploitation of these vulnerabilities could allow an attacker with adjacent access to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network.
Critical infrastructure sectors: Healthcare and Public Health
Countries/areas deployed: Worldwide
Company headquarters location: Germany
Recommended Practices: CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability: No known public exploits specifically target these vulnerabilities.
4.3 (Medium)
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CardioMessenger II-S T-Line T4APP: 2.20
BIOTRONIK / CardioMessenger II-S T-Line T4APP
|
2.2 |
Vendor Fix
|
|
|
CardioMessenger II-S GSM T4APP: 2.20
BIOTRONIK / CardioMessenger II-S GSM T4APP
|
2.2 |
Vendor Fix
|
4.3 (Medium)
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CardioMessenger II-S T-Line T4APP: 2.20
BIOTRONIK / CardioMessenger II-S T-Line T4APP
|
2.2 |
Vendor Fix
|
|
|
CardioMessenger II-S GSM T4APP: 2.20
BIOTRONIK / CardioMessenger II-S GSM T4APP
|
2.2 |
Vendor Fix
|
4.3 (Medium)
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CardioMessenger II-S T-Line T4APP: 2.20
BIOTRONIK / CardioMessenger II-S T-Line T4APP
|
2.2 |
Vendor Fix
|
|
|
CardioMessenger II-S GSM T4APP: 2.20
BIOTRONIK / CardioMessenger II-S GSM T4APP
|
2.2 |
Vendor Fix
|
4.6 (Medium)
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CardioMessenger II-S T-Line T4APP: 2.20
BIOTRONIK / CardioMessenger II-S T-Line T4APP
|
2.2 |
Vendor Fix
|
|
|
CardioMessenger II-S GSM T4APP: 2.20
BIOTRONIK / CardioMessenger II-S GSM T4APP
|
2.2 |
Vendor Fix
|
4.6 (Medium)
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CardioMessenger II-S T-Line T4APP: 2.20
BIOTRONIK / CardioMessenger II-S T-Line T4APP
|
2.2 |
Vendor Fix
|
|
|
CardioMessenger II-S GSM T4APP: 2.20
BIOTRONIK / CardioMessenger II-S GSM T4APP
|
2.2 |
Vendor Fix
|
References
12 references
Acknowledgments
Guillaume Bour
Anniken Wium Lie
Marie Moe
{
"document": {
"acknowledgments": [
{
"names": [
"Guillaume Bour",
"Anniken Wium Lie",
"Marie Moe"
],
"summary": "reporting these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could allow an attacker with physical access to the CardioMessenger to obtain sensitive data, obtain transmitted medical data from implanted cardiac devices with the implant \u0027s serial number or impact Cardio Messenger II product functionality. Successful exploitation of these vulnerabilities could allow an attacker with adjacent access to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Healthcare and Public Health",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSMA-20-170-05 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsma-20-170-05.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSMA-20-170-05 Web Version",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-170-05"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.fda.gov/medical-devices/digital-health/cybersecurity"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "BIOTRONIK CardioMessenger II",
"tracking": {
"current_release_date": "2020-06-18T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSMA-20-170-05",
"initial_release_date": "2020-06-18T00:00:00.000000Z",
"revision_history": [
{
"date": "2020-06-18T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSMA-20-170-05 BIOTRONIK Cardio Messenger II"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.2",
"product": {
"name": "CardioMessenger II-S T-Line T4APP: 2.20",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "CardioMessenger II-S T-Line T4APP"
},
{
"branches": [
{
"category": "product_version",
"name": "2.2",
"product": {
"name": "CardioMessenger II-S GSM T4APP: 2.20",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "CardioMessenger II-S GSM T4APP"
}
],
"category": "vendor",
"name": "BIOTRONIK"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-18246",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "The affected products do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure. CVE-2019-18246 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18246"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "BIOTRONIK reports they will not be issuing a product security update; however, BIOTRONIK has identified compensating controls which have been put place that reduce the risk of exploitation and prevent patient safety risks. BIOTRONIK assessed these vulnerabilities and determined no new potential safety risks exist.\nBIOTRONIK recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2019-18248",
"cwe": {
"id": "CWE-319",
"name": "Cleartext Transmission of Sensitive Information"
},
"notes": [
{
"category": "summary",
"text": "The affected products transmit credentials in cleartext prior to switching to an encrypted communication channel. An attacker can disclose the product \u0027s client credentials for connecting to the BIOTRONIK Remote Communication infrastructure.CVE-2019-18248 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18248"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "BIOTRONIK reports they will not be issuing a product security update; however, BIOTRONIK has identified compensating controls which have been put place that reduce the risk of exploitation and prevent patient safety risks. BIOTRONIK assessed these vulnerabilities and determined no new potential safety risks exist.\nBIOTRONIK recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2019-18252",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "summary",
"text": "The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.CVE-2019-18252 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18252"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "BIOTRONIK reports they will not be issuing a product security update; however, BIOTRONIK has identified compensating controls which have been put place that reduce the risk of exploitation and prevent patient safety risks. BIOTRONIK assessed these vulnerabilities and determined no new potential safety risks exist.\nBIOTRONIK recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2019-18254",
"cwe": {
"id": "CWE-311",
"name": "Missing Encryption of Sensitive Data"
},
"notes": [
{
"category": "summary",
"text": "The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with.CVE-2019-18254 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18254"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "BIOTRONIK reports they will not be issuing a product security update; however, BIOTRONIK has identified compensating controls which have been put place that reduce the risk of exploitation and prevent patient safety risks. BIOTRONIK assessed these vulnerabilities and determined no new potential safety risks exist.\nBIOTRONIK recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
},
{
"cve": "CVE-2019-18256",
"cwe": {
"id": "CWE-257",
"name": "Storing Passwords in a Recoverable Format"
},
"notes": [
{
"category": "summary",
"text": "The affected products use individual per-device credentials that are stored in a recoverable format. An attacker with physical access to the CardioMessenger can use these credentials for network authentication and decryption of local data in transit.CVE-2019-18256 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18256"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "BIOTRONIK reports they will not be issuing a product security update; however, BIOTRONIK has identified compensating controls which have been put place that reduce the risk of exploitation and prevent patient safety risks. BIOTRONIK assessed these vulnerabilities and determined no new potential safety risks exist.\nBIOTRONIK recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
}
]
}
VAR-202006-0827
Vulnerability from variot - Updated: 2024-11-23 22:29BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure. BIOTRONIK CardioMessenger II There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Biotronik CardioMessenger II-S is a portable medical monitoring device of German Biotronik company. It is mainly used to monitor implantable devices such as cardiac pacemakers. The Biotronik CardioMessenger II-S T-Line T4APP version 2.20 and II-S GSM T4APP version 2.20 have an authorization issue vulnerability that results from the program using the same credentials for multiple authentications
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202006-0827",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "cardiomessenger ii-s t-line",
"scope": "eq",
"trust": 1.0,
"vendor": "biotronik",
"version": "2.20"
},
{
"model": "cardiomessenger ii-s gsm",
"scope": "eq",
"trust": 1.0,
"vendor": "biotronik",
"version": "2.20"
},
{
"model": "cardiomessenger ii-s gsm",
"scope": null,
"trust": 0.8,
"vendor": "biotronik",
"version": null
},
{
"model": "cardiomessenger ii-s t-line",
"scope": null,
"trust": 0.8,
"vendor": "biotronik",
"version": null
},
{
"model": "cardiomessenger ii-s t-line t4app",
"scope": "eq",
"trust": 0.6,
"vendor": "biotronik",
"version": "2.20"
},
{
"model": "cardiomessenger ii-s gsm t4app",
"scope": "eq",
"trust": 0.6,
"vendor": "biotronik",
"version": "2.20"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:biotronik:cardiomessenger_ii-s_gsm_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:biotronik:cardiomessenger_ii-s_t-line_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Guillaume Bour,Marie Moe,Anniken Wium Lie",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
}
],
"trust": 0.6
},
"cve": "CVE-2019-18252",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.5,
"id": "CVE-2019-18252",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.0,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Adjacent Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 3.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2019-015751",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.5,
"id": "CNVD-2020-52056",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2019-18252",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2019-015751",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-18252",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2019-015751",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2020-52056",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-202006-1217",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
},
{
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure. BIOTRONIK CardioMessenger II There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Biotronik CardioMessenger II-S is a portable medical monitoring device of German Biotronik company. It is mainly used to monitor implantable devices such as cardiac pacemakers. \nThe Biotronik CardioMessenger II-S T-Line T4APP version 2.20 and II-S GSM T4APP version 2.20 have an authorization issue vulnerability that results from the program using the same credentials for multiple authentications",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-18252"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "ICS CERT",
"id": "ICSMA-20-170-05",
"trust": 3.0
},
{
"db": "NVD",
"id": "CVE-2019-18252",
"trust": 3.0
},
{
"db": "JVN",
"id": "JVNVU97042917",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2019-015751",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-52056",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2144",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "47307",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1217",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
},
{
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"id": "VAR-202006-0827",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52056"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52056"
}
]
},
"last_update_date": "2024-11-23T22:29:36.043000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.biotronik.com/en-de"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-18252"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18252"
},
{
"trust": 0.8,
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-170-05"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu97042917/index.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47307"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2144/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
},
{
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
},
{
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-09-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"date": "2020-08-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"date": "2020-06-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-1217"
},
{
"date": "2020-06-29T14:15:10.367000",
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-02-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-52056"
},
{
"date": "2020-08-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-015751"
},
{
"date": "2021-04-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-1217"
},
{
"date": "2024-11-21T04:32:55.493000",
"db": "NVD",
"id": "CVE-2019-18252"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "BIOTRONIK CardioMessenger II Authentication vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-015751"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-1217"
}
],
"trust": 0.6
}
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…