Pierluigi Paganini November 09, 2019

Department of Homeland Security (DHS) warns of critical flaws impacting Medtronic Valleylab products that could allow hackers to overwrite files and achieve remote code execution.

The US DHS Cybersecurity & Infrastructure Security Agency (CISA) issued a security advisory to warn of three recently patched flaws in Medtronic Valleylab products that could be exploited to install a non-root shell.

The flaws affect Medtronic Valleylab FT10 and FX8 devices, experts warn that that network connectivity for these systems is often enabled exposing them to remote hack.

“Successful exploitation of these vulnerabilities may allow an attacker to overwrite files or remotely execute code, resulting in a remote, non-root shell on the affected products. By default, the network connections on these devices are disabled.” reads the advisory. “Additionally, the Ethernet port is disabled upon reboot. However, it is known that network connectivity is often enabled.”

The first vulnerability, tracked as CVE-2019-13543, is related to the use of hardcoded credentials that could allow attackers to read files.

The CVE-2019-13543 vulnerability has received a base score of 5.8.

The second flaw discovered in the Medtronic Valleylab products (CVE-2019-13539) ties the use of the descrypt algorithm for OS password hashing. The advisory states that although network-based logons are disabled, an attacker could use other flaws to get local shell access and obtain these hashes. The vulnerability has received a CVSS score of 7.0.

Another vulnerability is related to the use of a vulnerable version of the rssh utility in these products to facilitate file uploads. The vulnerability could be exploited by attackers to gain administrative access to files or execute arbitrary code. These flaws, tracked as CVE-2019-3464 and CVE-2019-3463, received a CVSS score of 9.8.

Affected products are Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below.

The good news is that Medtronic has already released security patches for the FT10 platform and the fixes for the FX8 platform are expected to be released in early 2020.

CISA’s advisory provides the following recommendations to minimize the risk of exploitation of these vulnerabilities:

• Minimize network exposure for all medical devices and/or systems.
• Locate medical devices behind firewalls and isolate them where possible.
• Restrict system access to authorized personnel only and follow a least privilege approach.
• Apply defense-in-depth strategies.
• Disable any unnecessary accounts, protocols and services.
• Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA at the following location: https://www.fda.gov/medical-devices/digital-health/cybersecurity

The vendor recommends users to only connect these devices to the hospital network when necessary.

“Medtronic recommends that surgeons and nurses continue to use these devices as intended. Customers should maintain good cyber hygiene practices by only connecting these devices to the hospital network when necessary and shutting them down between uses until the new software update is complete,” reads the advisory published by the vendor.

A separate advisory published by DHS warns of two other vulnerabilities affecting Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN) version 1.20.2 and lower.

“Successful exploitation of these vulnerabilities may allow an attacker to connect inauthentic instruments to the affected products by spoofing RFID security mechanisms.” reads the advisory. “This may lead to a loss of performance integrity and platform availability due to incorrect identification of instrument and associated parameters.”

Medtronic already released updates that address both vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Medtronic, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]