Endpoint Security , Internet of Things Security , Standards, Regulations & Compliance
Feds, Medtronic Warn of Flaw in Cardiac Device Data Tool
Denial of Service Attack, Remote Code Execution Could Affect Medtronic's Paceart Optima SystemFederal regulators are warning about a vulnerability in medical device maker Medtronic's Paceart Optima System for collecting and managing data from cardiac devices. The flaw, if exploited, could lead to a denial-of-service attack or remote code execution that could affect the system's operations and data.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
CISA, in an advisory issued Thursday, said the deserialization of untrusted data vulnerability identified in Medtronic's Paceart Optima, versions 1.11 and earlier, is exploitable remotely and has a low attack complexity.
Medtronic, which reported the flaw to CISA, also issued a bulletin explaining that the vulnerability is in an optional messaging feature of the Paceart Optima cardiac device data workflow system.
"This feature is not configured by default, and it cannot be exploited unless enabled," Medtronic said.
CISA warned that a malicious actor could exploit the vulnerability to perform remote code execution and/or a DDoS attacks by sending specially crafted messages to the Paceart Optima system.
"Remote code execution could result in the deletion, theft or modification of Paceart Optima system’s cardiac device data, or use of the Paceart Optima system for further network penetration. A DoS attack could cause the Paceart Optima system to slow or be unresponsive," CISA said.
CISA said the vulnerability is tracked as CVE-2023-31222, with a CVSS v3 base score of 9.8.
To address the issues, Medtronic recommends users of the Paceart Optima system update their product to v1.12.
The company also suggested immediate mitigations that users can apply including manually disabling the Paceart Messaging Service on the product's application server and manually disabling message queuing on the application server.
"As long as the Paceart Messaging Service remains disabled, the vulnerability will remain mitigated," Medtronic said.