Warning on Medtronic Valleylab Energy Platform and Electrosurgery Products Vulnerabilities

Medtronic identified six vulnerabilities in the Medtronic Valleylab energy platform and electrosurgery products that include one critical vulnerability that an attacker can exploit to access the Valleylab Energy platform and view/overwrite data files and remotely implement arbitrary code.

Medtronic already sent notifications about the identified vulnerabilities to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency considering its responsible vulnerability disclosure policy.

The following Medtronic Valleylab products have been found to have four vulnerabilities:

  • Valleylab Exchange Client, Version 3.4 and earlier versions
  • Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and earlier versions
  • Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and earlier versions

The critical vulnerability is an incorrect input validation vulnerability in the rssh utility that handles file uploads. An attacker could exploit the vulnerability to acquire administrative access and view, alter or delete files. The vulnerability can likewise permit remote implementation of arbitrary code. The two vulnerabilities, CVE-2019-3464 and CVE-2019-3463, have an assigned CVSS v3 base rate of 9.8.

The Medtronic Valleylab products likewise utilize several sets of hard-coded credentials. If an attacker discovers those credentials, he/she could use them to read files on an unsecured device. This vulnerability, CVE-2019-13543, has an assigned CVSS v3 base rate of 5.4.

Vulnerable products have a descrypt algorithm that is used for operating system password hashing. An attacker can acquire local shell access and look at these hashes when the interactive, network-based logons are deactivated and there are other vulnerabilities. This vulnerability, CVE-2019-13539, has an assigned CVSS v3 base rate of 7.0.

Medtronic released a patch for the FT10 platform that must be used immediately. The patch for the FX8 platform will be available at the beginning of 2020. Medtronic remarks that the above-mentioned products are provided with network connections deactivated by default and the Ethernet port is deactivated on reboot; but, the company knows that users generally allow network connection.

When the patches are not yet used to fix the vulnerabilities, Medtronic recommends that users must detach unsecured products from IP networks or make sure that those networks are separated and not accessible online or through other untrusted networks.

The following Medtronic Valleylab energy and electrosurgery products have been found with these two vulnerabilities:

  • Version 2.1.0 and lower and Version 2.0.3 and earlier versions
  • Valleylab FT10 Energy Platform (VLFT10GEN)
  • Valleylab LS10 Energy Platform (VLLS10GEN-not offered in the U.S.A.) Version 1.20.2 and earlier versions

The FT10/LS10 Energy Platform integrates an RFID security system for validation of the platform and tools to avert the use of inauthentic tools. This security system could be circumvented. The vulnerability, CVS-2019-13531, has an assigned CVSS v3 base rate of 4.8.

The RFID security system doesn’t use read protection that could permit total read access to RFID security mechanism information. This vulnerability, CVE-2019-3535, has an assigned CVSS v3 base rate of 4.6.

Medtronics already issued a patch to resolve these two vulnerabilities.