{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Valleylab FT10 Energy Platform (VLFT10GEN)","vendor":"Medtronic","versions":[{"lessThanOrEqual":"2.1.0","status":"affected","version":"0","versionType":"custom"},{"lessThanOrEqual":"2.0.3","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)","vendor":"Medtronic","versions":[{"lessThanOrEqual":"1.20.2","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Medtronic reported these vulnerabilities to CISA."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator.</p>"}],"value":"In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"PHYSICAL","availabilityImpact":"LOW","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-287","description":"CWE-287 Improper Authentication","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2025-05-22T18:37:04.526Z"},"references":[{"url":"https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html"},{"url":"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-01"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A software patch is available now for the affected Valleylab platforms. If you suspect you are in possession of an instrument that is not FDA approved or cleared to be used with Medtronic Valleylab FT10 or LS10, please contact Medtronic or your medical device supplier. If you have concerns about FDA clearance or approval of current or future instruments, please contact your medical device supplier. Please contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/covidien/en-us/support/software.html\">Medtronic</a>&nbsp;to obtain the software patch.</p><p>Medtronic has released additional patient focused information at the following location:</p><p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\">https://www.medtronic.com/security</a></p>\n\n<br>"}],"value":"A software patch is available now for the affected Valleylab platforms. If you suspect you are in possession of an instrument that is not FDA approved or cleared to be used with Medtronic Valleylab FT10 or LS10, please contact Medtronic or your medical device supplier. If you have concerns about FDA clearance or approval of current or future instruments, please contact your medical device supplier. Please contact  https://www.medtronic.com/security"}],"source":{"advisory":"ICSMA-19-311-01","discovery":"INTERNAL"},"title":"Medtronic Valleylab FT10 and LS10 Improper Authentication","x_generator":{"engine":"Vulnogram 0.2.0"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2019-13531","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Valleylab FT10 Energy Platform (VLFT10GEN)","version":{"version_data":[{"version_value":"version 2.1.0 and lower"},{"version_value":"version 2.0.3 and lower"}]}},{"product_name":"Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)","version":{"version_data":[{"version_value":"version 1.20.2 and lower"}]}}]},"vendor_name":"Medtronic"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"IMPROPER AUTHENTICATION CWE-287"}]}]},"references":{"reference_data":[{"name":"https://www.us-cert.gov/ics/advisories/icsma-19-311-01","refsource":"MISC","url":"https://www.us-cert.gov/ics/advisories/icsma-19-311-01"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T23:57:39.240Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.us-cert.gov/ics/advisories/icsma-19-311-01"}]}]},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2019-13531","datePublished":"2019-11-08T19:46:45.000Z","dateReserved":"2019-07-11T00:00:00.000Z","dateUpdated":"2025-05-22T18:37:04.526Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}