Medtronic patched improper authentication and protection mechanism failure vulnerabilities in its Valleylab FT10 and Valleylab LS10, according to a report with CISA. Successful exploitation of these vulnerabilities, which Medtronic self-reported, may allow an attacker to connect inauthentic instruments to the affected products by spoofing RFID security mechanisms. This may lead to a loss of performance integrity and platform availability due to incorrect identification of instrument and associated parameters.
The following Medtronic Valleylab energy and electrosurgery products suffer from the vulnerabilities: • Valleylab FT10 Energy Platform (VLFT10GEN) Version 2.1.0 and lower Version 2.0.3 and lower • Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) Version 1.20.2 and lower In one vulnerability, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator. CVE-2019-13531 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.8. In addition, the RFID security mechanism does not apply read protection, allowing for full read access of the RFID security mechanism data. CVE-2019-13535 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.6. The products see use mainly in the healthcare and public health sectors, and on a global basis. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerabilities. A software patch is available now for the affected Valleylab platforms. If you suspect you are in possession of an instrument that is not FDA approved or cleared to be used with Medtronic Valleylab FT10 or LS10, contact Medtronic or your medical device supplier. If you have concerns about FDA clearance or approval of current or future instruments, please contact your medical device supplier. Please contact Medtronic to obtain the software patch. Medtronic released additional patient focused information.