cnvd - cnvd-2019-41421

CNVD-2019-41421

Vulnerability from cnvd - Published: 2019-11-20

Title

Medtronic Valleylab FT10和Valleylab LS10 Energy Platform授权问题漏洞

Description

Medtronic Valleylab FT10和Valleylab LS10 Energy Platform都是美国美敦力（Medtronic）公司的一款用于医疗行业的电源设备。 Medtronic Valleylab FT10 (VLFT10GEN) 2.1.0及之前版本，2.0.3及之前版本和Valleylab LS10 Energy Platform (VLLS10GEN) 1.20.2及之前版本中存在授权问题漏洞，攻击者可利用该漏洞将不真实的仪器连接到发生器。

Severity

低

Patch Name

Medtronic Valleylab FT10和Valleylab LS10 Energy Platform授权问题漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.medtronic.com

Reference

https://www.us-cert.gov/ics/advisories/icsma-19-311-01

Impacted products

Name
['Medtronic Valleylab FT10 (VLFT10GEN) <=2.1.0', 'Medtronic Valleylab FT10 (VLFT10GEN) <=2.0.3', 'Medtronic Valleylab LS10 Energy Platform (VLLS10GEN) <=1.20.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-13531"
    }
  },
  "description": "Medtronic Valleylab FT10\u548cValleylab LS10 Energy Platform\u90fd\u662f\u7f8e\u56fd\u7f8e\u6566\u529b\uff08Medtronic\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u533b\u7597\u884c\u4e1a\u7684\u7535\u6e90\u8bbe\u5907\u3002\n\nMedtronic Valleylab FT10 (VLFT10GEN) 2.1.0\u53ca\u4e4b\u524d\u7248\u672c\uff0c2.0.3\u53ca\u4e4b\u524d\u7248\u672c\u548cValleylab LS10 Energy Platform (VLLS10GEN) 1.20.2\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4e0d\u771f\u5b9e\u7684\u4eea\u5668\u8fde\u63a5\u5230\u53d1\u751f\u5668\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.medtronic.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-41421",
  "openTime": "2019-11-20",
  "patchDescription": "Medtronic Valleylab FT10\u548cValleylab LS10 Energy Platform\u90fd\u662f\u7f8e\u56fd\u7f8e\u6566\u529b\uff08Medtronic\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u533b\u7597\u884c\u4e1a\u7684\u7535\u6e90\u8bbe\u5907\u3002\r\n\r\nMedtronic Valleylab FT10 (VLFT10GEN) 2.1.0\u53ca\u4e4b\u524d\u7248\u672c\uff0c2.0.3\u53ca\u4e4b\u524d\u7248\u672c\u548cValleylab LS10 Energy Platform (VLLS10GEN) 1.20.2\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u4e0d\u771f\u5b9e\u7684\u4eea\u5668\u8fde\u63a5\u5230\u53d1\u751f\u5668\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Medtronic Valleylab FT10\u548cValleylab LS10 Energy Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Medtronic Valleylab FT10 (VLFT10GEN) \u003c=2.1.0",
      "Medtronic Valleylab FT10 (VLFT10GEN) \u003c=2.0.3",
      "Medtronic Valleylab LS10 Energy Platform (VLLS10GEN) \u003c=1.20.2"
    ]
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsma-19-311-01",
  "serverity": "\u4f4e",
  "submitTime": "2019-11-11",
  "title": "Medtronic Valleylab FT10\u548cValleylab LS10 Energy Platform\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2019-13531 (GCVE-0-2019-13531)

Vulnerability from cvelistv5 – Published: 2019-11-08 19:46 – Updated: 2025-05-22 18:37

Title

Medtronic Valleylab FT10 and LS10 Improper Authentication

Summary

In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE

CWE-287 - Improper Authentication

Assigner

icscert

References

URL

Tags

	https://global.medtronic.com/xg-en/product-securi…
	https://www.cisa.gov/news-events/ics-medical-advi…

Impacted products

Vendor

Product

Version

Medtronic

Valleylab FT10 Energy Platform (VLFT10GEN)

Affected: 0 , ≤ 2.1.0 (custom)
Affected: 0 , ≤ 2.0.3 (custom)

Medtronic

Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)

Affected: 0 , ≤ 1.20.2 (custom)

Credits

Medtronic reported these vulnerabilities to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:57:39.240Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Valleylab FT10 Energy Platform (VLFT10GEN)",
          "vendor": "Medtronic",
          "versions": [
            {
              "lessThanOrEqual": "2.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Valleylab LS10 Energy Platform (VLLS10GEN\u2014not available in the United States)",
          "vendor": "Medtronic",
          "versions": [
            {
              "lessThanOrEqual": "1.20.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Medtronic reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN\u2014not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator.\u003c/p\u003e"
            }
          ],
          "value": "In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN\u2014not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T18:37:04.526Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA software patch is available now for the affected Valleylab platforms. If you suspect you are in possession of an instrument that is not FDA approved or cleared to be used with Medtronic Valleylab FT10 or LS10, please contact Medtronic or your medical device supplier. If you have concerns about FDA clearance or approval of current or future instruments, please contact your medical device supplier. Please contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/covidien/en-us/support/software.html\"\u003eMedtronic\u003c/a\u003e\u0026nbsp;to obtain the software patch.\u003c/p\u003e\u003cp\u003eMedtronic has released additional patient focused information at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "A software patch is available now for the affected Valleylab platforms. If you suspect you are in possession of an instrument that is not FDA approved or cleared to be used with Medtronic Valleylab FT10 or LS10, please contact Medtronic or your medical device supplier. If you have concerns about FDA clearance or approval of current or future instruments, please contact your medical device supplier. Please contact  https://www.medtronic.com/security"
        }
      ],
      "source": {
        "advisory": "ICSMA-19-311-01",
        "discovery": "INTERNAL"
      },
      "title": "Medtronic Valleylab FT10 and LS10 Improper Authentication",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2019-13531",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Valleylab FT10 Energy Platform (VLFT10GEN)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "version 2.1.0 and lower"
                          },
                          {
                            "version_value": "version 2.0.3 and lower"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Valleylab LS10 Energy Platform (VLLS10GEN\u2014not available in the United States)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "version 1.20.2 and lower"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Medtronic"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN\u2014not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER AUTHENTICATION CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsma-19-311-01",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2019-13531",
    "datePublished": "2019-11-08T19:46:45",
    "dateReserved": "2019-07-11T00:00:00",
    "dateUpdated": "2025-05-22T18:37:04.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-41421

CVE-2019-13531 (GCVE-0-2019-13531)

Tags

Sightings

Nomenclature