#VU22639 Reversible One-Way Hash


Published: 2019-11-11

Vulnerability identifier: #VU22639

Vulnerability risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13539

CWE-ID: N/A

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Valleylab FX8 Energy Platform
Hardware solutions / Other hardware appliances
Valleylab FT10 Energy Platform
Hardware solutions / Other hardware appliances
Valleylab Exchange Client
Client/Desktop applications / Other client software

Vendor: Medtronic

Description

The vulnerability allows a local user to bypass authentication on the target system.

The vulnerability exists due to the the affected products use the decrypt algorithm for OS password hashing. While interactive, network-based logins are disable and local user can use other vulnerabilities to obtain local shell access and access these hashes.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Valleylab FX8 Energy Platform: 1.1.0

Valleylab Exchange Client: 3.4

Valleylab FT10 Energy Platform: 4.0.0

External links
http://www.us-cert.gov/ics/advisories/icsma-19-311-02

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for git
Gentoo update for Git
OpenSUSE Linux update for git
Amazon Linux AMI update for git
Multiple vulnerabilities in Medtronic Valleylab pruducts