The United States Department of Homeland Security (DHS) has recently issued an alert about numerous vulnerabilities in Medtronic Valleylab equipment. These include a critical security flaw and two high-severity vulnerabilities affecting numerous devices.
Critical Vulnerability In Valleylab Equipment
According to the US-CERT advisory, a critical vulnerability existed in the Medtronic Valleylab equipment. Specifically, it was an input validation vulnerability that could let an attacker gain admin access to the files, and execute arbitrary codes. This critical vulnerability has received a CVSS base score of 9.8.
The vulnerability has received two CVE IDs. One of these, CVE-2019-3463, reads,
Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.”
Whereas, for the other CVE ID, CVE-2019-3464, the description reads,
Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.
Other Medtronic Valleylab Vulnerabilities
In addition, two other notable vulnerabilities also existed in Medtronic Valleylab equipment. One of these, CVE-2019-13539, existed because the products used descrypt algorithm for OS password hashing. According to the advisory,
While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.
Whereas, the other vulnerability, CVE-2019-13543, existed because of multiple hard-coded credentials. According to the advisory,
If discovered, they can be used to read files on the device.
The vulnerabilities affected Medtronic Valleylab Exchange Client v.3.4, Valleylab FX8 Energy Platform (VLFX8GEN) software v.1.1.0 and below, and Valleylab FT10 Energy Platform (VLFT10GEN) software v.4.0.0 and below.
For now, Medtronic is working to develop patches for the FX8 platform, which will possibly roll out in January 2020. Hence, Medtronic advises disconnecting the vulnerable products from IP networks, and limit their accessibility from untrusted networks (such as Internet).
Whereas, for the FT10 platform, a fix is available.
Let us know your thoughts in the comments.