The Department of Homeland Security (DHS) warns that critical vulnerabilities affecting Medtronic Valleylab products that permit attackers to overwrite files and to execute remote software.
A Cybersecurity & Infrastructure Security Agency (CISA) DHS advisory warns about three recently patched vulnerabilities that could enable attackers to install a non-root shell in Medtronic Valleylab FT10 and FX8 phones.
While the network connections on these items should be deactivated by default and the Ethernet port disabled after rebooting, network access is often exposed and is therefore vulnerable to attack.
CISA advisory reads that the affected devices have multiple sets of hardcoded credentials to allow attackers to read files if exposed. The first of these vulnerabilities is reported as CVE-2019-13543 and has a base score of 5.8.
It was also found that the compromised goods use the OS code cracking decryption algorithm. Although network logons are disabled, other vulnerabilities may be used to access and receive local shell access. The issue is reported as CVE-2019-13539 and the score for the CVSS is 7.0.
In addition, a compromised version of the rssh tool used for file uploads in these products may allow attackers to access administrative files or to execute arbitrary code. The CVE-2019-3464 and CVE-2019-3463 essential bugs are monitored and carry a CVSS score of 9.8.
Valleylab FT10 Energy Platform (VLFT10GEN) software 4.0.0 and below, the FX8 Energy Platform (VLFX8GEN) software 1.1.0 and below are affected by the vulnerabilities.
Medtronic security patches are now available for the FT10 platform and are planned for the FX8 platform in early 2020.
“Medtronic advises continued use of these instruments by surgeons and nurses as expected. Customers should maintain good cyber hygiene practices only if appropriate by connecting these devices to the hospital network and closing them between uses until the new software update is complete.
To order to ensure that devices are not accessible from a network without confidence, insecure items should either be disconnected from IP networks or the networks should be separated, reads CISA’s advisory.
DHS warns of two more flaws affecting versions 2.1.0 and 2.0.3 and lower of the Valleylabo FT10 Energy Platform (VLFT10GEN) and versions 1.20.2 and lower of the Valleylab FT10 Energy Platform (VLLS10GEN).
The problems have an impact on these devices ‘ RFID security mechanism and could allow attackers to attach non-authentic tools.
“The consequence may be a loss of quality credibility and system functionality because the instrument and related parameters are incorrectly defined,” states CISA.
CVE-2019-13531, with a CVSS Rating of 4.8 and CVE-2019-13535, which has a CVSS rating of 4.6, are the vulnerabilities found.
For all affected phones, software updates that fix both defects have already been released.
“Medtronic recommends that surgeons and nurses continue the use and upgrade on the latest software version of these electrosurgical generators and the corresponding LigaSure tools. Due to the potential of generators to detect inauthentic LigaSure products, consumers must make sure that they only purchase all LigaSure devices from Medtronic or approved medtronic distributors.