Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2019-13531 CVE-2019-13535 CVE-2019-13543 CVE-2019-13539 |
CWE-ID | CWE-287 CWE-693 CWE-798 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Valleylab LS10 Energy Platform Hardware solutions / Other hardware appliances Valleylab FT10 Energy Platform Hardware solutions / Other hardware appliances Valleylab FX8 Energy Platform Hardware solutions / Other hardware appliances Valleylab Exchange Client Client/Desktop applications / Other client software |
Vendor | Medtronic |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU22637
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13531
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to an error in the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments. An attacker with physical access to the device can connect inauthentic instruments to the generator, bypass authentication process and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsValleylab LS10 Energy Platform: 1.20.2
Valleylab FT10 Energy Platform: 2.0.3 - 2.1.0
External linkshttp://www.us-cert.gov/ics/advisories/icsma-19-311-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22638
Risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13535
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsValleylab LS10 Energy Platform: 1.20.2
Valleylab FT10 Energy Platform: 2.0.3 - 2.1.0
External linkshttp://www.us-cert.gov/ics/advisories/icsma-19-311-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22640
Risk: Medium
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13543
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials and read files on the target system.
Install updates from vendor's website.
Vulnerable software versionsValleylab FX8 Energy Platform: 1.1.0
Valleylab FT10 Energy Platform: 4.0.0
Valleylab Exchange Client: 3.4
External linkshttp://www.us-cert.gov/ics/advisories/icsma-19-311-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22639
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13539
CWE-ID: N/A
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsValleylab FX8 Energy Platform: 1.1.0
Valleylab Exchange Client: 3.4
Valleylab FT10 Energy Platform: 4.0.0
External linkshttp://www.us-cert.gov/ics/advisories/icsma-19-311-02
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.