US-CERT warns of critical flaws in Medtronic equipment

The United States Computer Emergency Readiness Team (US-CERT) has issued another warning about security flaws in medical equipment made by Medtronic.

The problem this time is in the Valleylab FT10 (V4.0.0 and below) and Valleylab FX8 (v1.1.0 and below), electrosurgical generators used by surgeons for procedures such as cauterisation during operations.

That’s the good news – the equipment is used by hospitals which means locating the equipment and mitigating or patching the vulnerabilities should be relatively straightforward compared to medical equipment being used by thousands of consumers.

Less positively, two of the flaws – CVE-2019-3464, and CVE-2019-3463 – are severe enough to earn a CVSS rating of 9.8, which makes them critical.

The latter vulnerability is the restricted shell (rssh) utility which allows file uploads to the Valleylab units. Using an unpatched version of this could give an attacker admin access and the ability to execute code.

According to the alert, the network access necessary for this to happen is often enabled, presumably for remote management, which gives attackers a way of reaching vulnerable devices.

A third flaw, CVE-2019-13539, is caused by an insecure (i.e. reversible) password hashes, generated by descrypt, which can be pulled from the device thanks to the other vulnerabilities mentioned in the warning.

The fourth flaw, CVE-2019-13543, affects the Medtronic Valleylab Exchange Client version 3.4 and below, is caused by hard-coded credentials.

Currently, patches are available for Valleylab FT10, while the FX8 will receive the same in “early 2020”. In the meantime:

Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet).

It’s not clear who discovered the latest flaws although US-CERT mentions them having been reported to it by Medtronic itself.

If so, that’s a step in the right direction after past alerts discovered by independent researchers who sometimes struggled to get the attention of the company.

Medtronic has suffered a number of security problems in its products in the last couple of years, including a brace of flaws in its Implantable Cardioverter Defibrillators (ICDs) in March, and in its pacemakers in 2018.

The last of those was a low point for medical equipment patching after researchers used a session at the Black Hat show to highlight that the equipment was vulnerable to a security flaw 18 months after the company was told of the issue.

Back in 2011, researcher Barnaby Jack demonstrated a proof-of-concept against a Medtronic insulin pump which he claimed could have been exploited to deliver a fatal dose to a patient.

Even though things have changed a lot since then, vulnerabilities continue to emerge at regular intervals. Cleaning up the mistakes of past security coding has a way to go yet.