SB2019111108 - Multiple vulnerabilities in Medtronic Valleylab pruducts
Published: November 11, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2019-13531)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to an error in the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments. An attacker with physical access to the device can connect inauthentic instruments to the generator, bypass authentication process and gain unauthorized access to the application.
2) Protection Mechanism Failure (CVE-ID: CVE-2019-13535)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
3) Use of hard-coded credentials (CVE-ID: CVE-2019-13543)
CWE-ID: CWE-798 - Use of Hard-coded Credentials
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials and read files on the target system.
4) Reversible One-Way Hash (CVE-ID: CVE-2019-13539)
CWE-ID: -
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
Remediation
Install update from vendor's website.