Department of Homeland Security (DHS) warns of critical flaws impacting Medtronic Valleylab products that could allow hackers to overwrite files and achieve remote code execution.
The US DHS Cybersecurity & Infrastructure Security Agency (CISA) issued a security advisory to warn of three recently patched flaws in Medtronic Valleylab products that could be exploited to install a
The flaws affect Medtronic Valleylab FT10 and FX8 devices, experts warn that that network connectivity for these systems is often enabled exposing them to remote hack.
“Successful exploitation of these vulnerabilities may allow an attacker to overwrite files or remotely execute code, resulting in a remote, non-root shell on the affected products. By default, the network connections on these devices are disabled.” reads the advisory. “Additionally, the Ethernet port is disabled upon reboot. However, it is known that network connectivity is often enabled.”
The first vulnerability, tracked as CVE-2019-13543, is related to the use of
The CVE-2019-13543 vulnerability has received a base score of 5.8.
The second flaw discovered in the Medtronic Valleylab products (CVE-2019-13539) ties the use of the
Another vulnerability is related to the use of a vulnerable version of the
Affected products are Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below.
The good news is that Medtronic has already released security patches for the FT10 platform and the fixes for the FX8 platform are expected to be released in early 2020.
CISA’s advisory provides the following recommendations to minimize the risk of exploitation of these vulnerabilities:
- Minimize network exposure for all medical devices and/or systems.
- Locate medical devices behind firewalls and isolate them where possible.
- Restrict system access to authorized personnel only and follow a least privilege approach.
- Apply defense-in-depth strategies.
- Disable any unnecessary accounts, protocols and services.
- Where additional information is needed, refer to existing cybersecurity in medical device guidance issued by the FDA at the following location: https://www.fda.gov/medical-devices/digital-health/cybersecurity
The vendor recommends users to only connect these devices to the hospital network when necessary.
“Medtronic recommends that surgeons and nurses continue to use these devices as intended. Customers should maintain good cyber hygiene practices by only connecting these devices to the hospital network when necessary and shutting them down between uses until the new software update is complete,” reads the advisory published by the vendor.
A separate advisory published by DHS warns of two other vulnerabilities affecting Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN) version 1.20.2 and lower.
“Successful exploitation of these vulnerabilities may allow an attacker to connect inauthentic instruments to the affected products by spoofing RFID security mechanisms.” reads the advisory. “This may lead to a loss of
Medtronic already released updates that address both vulnerabilities.