ICSMA-19-311-02 · Published 2019-11-07 · View on CISA ICS-CERT ↗

Medtronic Valleylab FT10 and FX8

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities may allow an attacker to overwrite files or remotely execute code, resulting in a remote, non-root shell on the affected products. By default, the network connections on these devices are disabled. Additionally, the Ethernet port is disabled upon reboot. However, it is known that network connectivity is often enabled.

CVEs (3)

CVE-2019-13543 CVE-2019-13539 CVE-2019-3464

Remediations

Software patches are currently available for the FT10 platform and will be available in early 2020 for the FX8 platform. Until these updates can be applied, Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet). Patches can be downloaded at the following location:
https://www.medtronic.com/covidien/en-us/support/software.html
Medtronic has released additional patient focused information, at the following location:
https://www.medtronic.com/security

Affected Vendors

Medtronic

Affected Products (3)

Medtronic · Valleylab FX8 Energy Platform (VLFX8GEN) software <= 1.0.0

Medtronic · Valleylab FT10 Energy Platform (VLFT10GEN) software <= 4.0.0

Medtronic · Valleylab Exchange Client <= 3.4

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more