DHS Alerts About Multiple Vulnerabilities In Medtronic Valleylab Equipment

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

The United States Department of Homeland Security (DHS) has recently issued an alert about numerous vulnerabilities in Medtronic Valleylab equipment. These include a critical security flaw and two high-severity vulnerabilities affecting numerous devices.

Critical Vulnerability In Valleylab Equipment

According to the US-CERT advisory, a critical vulnerability existed in the Medtronic Valleylab equipment. Specifically, it was an input validation vulnerability that could let an attacker gain admin access to the files, and execute arbitrary codes. This critical vulnerability has received a CVSS base score of 9.8.

The vulnerability has received two CVE IDs. One of these, CVE-2019-3463, reads,

Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.”

Whereas, for the other CVE ID, CVE-2019-3464, the description reads,

Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.

Other Medtronic Valleylab Vulnerabilities

In addition, two other notable vulnerabilities also existed in Medtronic Valleylab equipment. One of these, CVE-2019-13539, existed because the products used descrypt algorithm for OS password hashing. According to the advisory,

While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.

Whereas, the other vulnerability, CVE-2019-13543, existed because of multiple hard-coded credentials. According to the advisory,

If discovered, they can be used to read files on the device.

The vulnerabilities affected Medtronic Valleylab Exchange Client v.3.4, Valleylab FX8 Energy Platform (VLFX8GEN) software v.1.1.0 and below, and Valleylab FT10 Energy Platform (VLFT10GEN) software v.4.0.0 and below.

For now, Medtronic is working to develop patches for the FX8 platform, which will possibly roll out in January 2020. Hence, Medtronic advises disconnecting the vulnerable products from IP networks, and limit their accessibility from untrusted networks (such as Internet).

Whereas, for the FT10 platform, a fix is available.

Let us know your thoughts in the comments.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!