{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Valleylab Exchange Client","vendor":"Medtronic","versions":[{"lessThanOrEqual":"3.4","status":"affected","version":"0","versionType":"c"}]},{"defaultStatus":"unaffected","product":"Valleylab FT10 Energy Platform (VLFT10GEN)","vendor":"Medtronic","versions":[{"lessThanOrEqual":"software version 4.0.0","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Valleylab FX8 Energy Platform (VLFX8GEN)","vendor":"Medtronic","versions":[{"lessThanOrEqual":"software version 1.1.0","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Medtronic reported these vulnerabilities to CISA."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

\nMedtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.\n\n

"}],"value":"Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-328","description":"CWE-328","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2025-05-22T19:06:39.644Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02"},{"url":"https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

Software patches are currently available for the FT10 platform and will be available in early 2020 for the FX8 platform. Until these updates can be applied, Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet). Patches can be downloaded at the following location:

https://www.medtronic.com/covidien/en-us/support/software.html

Medtronic has released additional patient focused information, at the following location:

https://www.medtronic.com/security

"}],"value":"Software patches are currently available for the FT10 platform and will be available in early 2020 for the FX8 platform. Until these updates can be applied, Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet). Patches can be downloaded at the following location:\n\n https://www.medtronic.com/covidien/en-us/support/software.html \n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"}],"source":{"advisory":"ICSMA-19-311-02","discovery":"INTERNAL"},"title":"Medtronic Valleylab FT10 and FX8 Reversible One-way Hash","x_generator":{"engine":"Vulnogram 0.2.0"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2019-13543","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Valleylab Exchange Client","version":{"version_data":[{"version_value":"version 3.4 and below"}]}},{"product_name":"Valleylab FT10 Energy Platform (VLFT10GEN)","version":{"version_data":[{"version_value":"software version 4.0.0 and below"}]}},{"product_name":"Valleylab FX8 Energy Platform (VLFX8GEN)","version":{"version_data":[{"version_value":"software version 1.1.0 and below"}]}}]},"vendor_name":"Medtronic"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"USE OF HARD-CODED CREDENTIALS CWE-798"}]}]},"references":{"reference_data":[{"name":"https://www.us-cert.gov/ics/advisories/icsma-19-311-02","refsource":"MISC","url":"https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T23:57:39.467Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}]}]},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2019-13539","datePublished":"2019-11-08T19:07:59.000Z","dateReserved":"2019-07-11T00:00:00.000Z","dateUpdated":"2025-05-22T19:06:39.644Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}