Connect with us

The Online Technology

US-CERT warns of critical flaws in Medtronic equipment – Naked Security

Security Watch

US-CERT warns of critical flaws in Medtronic equipment – Naked Security


The United States Computer Emergency Readiness Team (US-CERT) has issued another warning about security flaws in medical equipment made by Medtronic.

The problem this time is in the Valleylab FT10 (V4.0.0 and below) and Valleylab FX8 (v1.1.0 and below), electrosurgical generators used by surgeons for procedures such as cauterisation during operations.

That’s the good news – the equipment is used by hospitals which means locating the equipment and mitigating or patching the vulnerabilities should be relatively straightforward compared to medical equipment being used by thousands of consumers.

Less positively, two of the flaws – CVE-2019-3464, and CVE-2019-3463 – are severe enough to earn a CVSS rating of 9.8, which makes them critical.

The latter vulnerability is the restricted shell (rssh) utility which allows file uploads to the Valleylab units. Using an unpatched version of this could give an attacker admin access and the ability to execute code.

According to the alert, the network access necessary for this to happen is often enabled, presumably for remote management, which gives attackers a way of reaching vulnerable devices.

A third flaw, CVE-2019-13539, is caused by an insecure (i.e. reversible) one-way decrypt hash when the event network-based logons are disabled.

The fourth flaw, CVE-2019-13543, affects the Medtronic Valleylab Exchange Client version 3.4 and below, is caused by hard-coded credentials.