Medtronic Valleylab Energy Platform and Electrosurgery Products Flaws Identified

by | Nov 9, 2019

Six flaws have been identified in the Medtronic Valleylab energy platform and electrosurgery products, including one fatal flaw that could permit a hacker to obtain access to the Valleylab Energy platform and view/overwrite files and remotely execute arbitrary code.

The flaws were discovered by Medtronic which reported them to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency under its responsible vulnerability disclosure policy.

Four vulnerabilities have been discovered in the following Medtronic Valleylab products

  • Valleylab Exchange Client, Version 3.4 and earlier versions
  • Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and earlier versions
  • Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and earlier versions

The critical vulnerability is an improper input validation vulnerability in the rssh utility, which allows file uploads. Exploitation of the vulnerability would allow a hacker to obtain administrative access to files, allowing those files to be viewed, altered, or erased. The flaw could also permit remote execution of arbitrary code.

The flaw has been given two CVE codes – CVE-2019-3464 and CVE-2019-3463. A CVSS v3 base score of 9.8 has been calculated for the flaws.

The products also employ multiple sets of hard-coded credentials. If those details were found by a hacker, they could be used to read files on a vulnerable device. This flaw has been assigned the CVSS code – CVE-2019-13543 – and has a CVSS v3 base score of 5.4.

Vulnerable products use a descrypt algorithm for operating system password hashing. If interactive, network-based logons are turned off, combined with the other vulnerabilities, a hacker could obtain local shell access and view these hashes. The flaw – CVE-2019-13539 – has a CVSS v3 base score of 7.0.

Medtronic has published a patch for the FT10 platform, which should be applied as soon as possible. The FX8 platform will have a patch applied in early 2020. Medtronic notes that the above products are supplied with network connections turned off by default and the Ethernet port is disabled on reboot; however, the company is conscious that users often enable network connectivity.

Until the patches are applied to address the flaws, Medtronic advises users to disconnect vulnerable products from IP networks or ensure those networks are segregated and are not accessible over the internet or using other untrusted networks.

Two further vulnerabilities have been discovered in the following Medtronic Valleylab energy and electrosurgery products:

  • Valleylab FT10 Energy Platform (VLFT10GEN)
    • Version 2.1.0 and lower and Version 2.0.3 and lower
  • Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)
    • Version 1.20.2 and lower

The FT10/LS10 Energy Platform uses an RFID security mechanism for authentication between the platform and instruments to stop inauthentic instruments from being used. This security mechanism can be got around. The flaw has been given the CVE code, CVS-2019-13531, and has a CVSS v3 base score of 4.8.

The RFID security mechanism does not use read protection, which could permit complete full read access to RFID security mechanism data. This flaw – CVE-2019-3535 – has a CVSS v3 base score of 4.6.

A patch has been issued to address these two flaws.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy