Successful exploitation of these remotely exploitable vulnerabilities, which Medtronic self-reported, may allow an attacker to overwrite files or remotely execute code, resulting in a remote, non-root shell on the affected products.
By default, the network connections on these devices are disabled. Additionally, the Ethernet port is disabled upon reboot. However, it is known that network connectivity is often enabled.
The following Medtronic Valleylab products suffer from the issue:
• Valleylab Exchange Client, Version 3.4 and below
• Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and below
• Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and below
In one vulnerability, the affected products use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device.
CVE-2019-13543 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.8.
In addition, the affected products use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.
CVE-2019-13539 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.0.
Also, the affected products use a vulnerable version of the rssh utility in order to facilitate file uploads. This could provide an attacker with administrative access to files or the ability to execute arbitrary code.
CVE-2019-3464 and CVE-2019-3463 are the case numbers assigned to this vulnerability, which have a CVSS v3 base score of 9.8.
The products see use mainly in the healthcare and public health sectors, and on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Software patches are currently available for the FT10 platform and will be available in early 2020 for the FX8 platform. Until these updates can be applied, Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet). Click here to download patches.
Medtronic released additional patient focused information.