Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products

Share this article on:

6 vulnerabilities have been identified in the Medtronic Valleylab energy platform and electrosurgery products, including one critical flaw that could allow an attacker to gain access to the Valleylab Energy platform and view/overwrite files and remotely execute arbitrary code.

The vulnerabilities were identified by Medtronic which reported the flaws to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency under its responsible vulnerability disclosure policy.

Four vulnerabilities have been identified in the following Medtronic Valleylab products

  • Valleylab Exchange Client, Version 3.4 and below
  • Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and below
  • Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and below

The critical vulnerability is an improper input validation flaw in the rssh utility, which facilitates file uploads. Exploitation of the vulnerability would allow an attacker to gain administrative access to files, allowing those files to be viewed, altered, or deleted. The flaw could also allow remote execution of arbitrary code.

The flaw has been assigned two CVE codes – CVE-2019-3464 and CVE-2019-3463. A CVSS v3 base score of 9.8 has been calculated for the flaws.

The products also use multiple sets of hard-coded credentials. If those credentials were discovered by an attacker, they could be used to read files on a vulnerable device. This flaw has been assigned the CVSS code – CVE-2019-13543 – and has a CVSS v3 base score of 5.4.

Vulnerable products use a descrypt algorithm for operating system password hashing. If interactive, network-based logons are disabled, combined with the other vulnerabilities, an attacker could obtain local shell access and view these hashes. The flaw – CVE-2019-13539 – has a CVSS v3 base score of 7.0.

Medtronic has released a patch for the FT10 platform, which should be applied as soon as possible. The FX8 platform will be patched in early 2020. Medtronic notes that the above products are supplied with network connections disabled by default and the Ethernet port is disabled on reboot; however, the company is aware that users often enable network connectivity.

Until the patches are applied to correct the flaws, Medtronic advises users to disconnect vulnerable products from IP networks or ensure those networks are segregated and are not accessible over the internet or via other untrusted networks.

Two further vulnerabilities have been identified in the following Medtronic Valleylab energy and electrosurgery products:

  • Valleylab FT10 Energy Platform (VLFT10GEN)
    • Version 2.1.0 and lower and Version 2.0.3 and lower
  • Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)
    • Version 1.20.2 and lower

The FT10/LS10 Energy Platform incorporates an RFID security mechanism for authentication between the platform and instruments to prevent inauthentic instruments from being used. This security mechanism can be bypassed. The flaw has been assigned the CVE code, CVS-2019-13531, and has a CVSS v3 base score of 4.8.

The RFID security mechanism does not apply read protection, which could allow full read access to RFID security mechanism data. This flaw – CVE-2019-3535 – has a CVSS v3 base score of 4.6.

A patch has been issued to correct both of these flaws.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On