Medtronic Valleylab Energy Platform and Electrosurgery Products Flaws Identified

Six flaws have been identified in the Medtronic Valleylab energy platform and electrosurgery products, including one fatal flaw that could permit a hacker to obtain access to the Valleylab Energy platform and view/overwrite files and remotely execute arbitrary code.

The flaws were discovered by Medtronic which reported them to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency under its responsible vulnerability disclosure policy.

Four vulnerabilities have been discovered in the following Medtronic Valleylab products

  • Valleylab Exchange Client, Version 3.4 and earlier versions
  • Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and earlier versions
  • Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and earlier versions

The critical vulnerability is an improper input validation vulnerability in the rssh utility, which allows file uploads. Exploitation of the vulnerability would allow a hacker to obtain administrative access to files, allowing those files to be viewed, altered, or erased. The flaw could also permit remote execution of arbitrary code.

The flaw has been given two CVE codes – CVE-2019-3464 and CVE-2019-3463. A CVSS v3 base score of 9.8 has been calculated for the flaws.

The products also employ multiple sets of hard-coded credentials. If those details were found by a hacker, they could be used to read files on a vulnerable device. This flaw has been assigned the CVSS code – CVE-2019-13543 – and has a CVSS v3 base score of 5.4.

Vulnerable products use a descrypt algorithm for operating system password hashing. If interactive, network-based logons are turned off, combined with the other vulnerabilities, a hacker could obtain local shell access and view these hashes. The flaw – CVE-2019-13539 – has a CVSS v3 base score of 7.0.

Medtronic has published a patch for the FT10 platform, which should be applied as soon as possible. The FX8 platform will have a patch applied in early 2020. Medtronic notes that the above products are supplied with network connections turned off by default and the Ethernet port is disabled on reboot; however, the company is conscious that users often enable network connectivity.

Until the patches are applied to address the flaws, Medtronic advises users to disconnect vulnerable products from IP networks or ensure those networks are segregated and are not accessible over the internet or using other untrusted networks.

Two further vulnerabilities have been discovered in the following Medtronic Valleylab energy and electrosurgery products:

  • Valleylab FT10 Energy Platform (VLFT10GEN)
    • Version 2.1.0 and lower and Version 2.0.3 and lower
  • Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)
    • Version 1.20.2 and lower

The FT10/LS10 Energy Platform uses an RFID security mechanism for authentication between the platform and instruments to stop inauthentic instruments from being used. This security mechanism can be got around. The flaw has been given the CVE code, CVS-2019-13531, and has a CVSS v3 base score of 4.8.

The RFID security mechanism does not use read protection, which could permit complete full read access to RFID security mechanism data. This flaw – CVE-2019-3535 – has a CVSS v3 base score of 4.6.

A patch has been issued to address these two flaws.