CVE-2019-13543 (GCVE-0-2019-13543)
Vulnerability from cvelistv5
Published
2019-11-08 19:03
Modified
2025-05-22 19:03
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE
  • CWE-798 - Use of Hard-coded Credentials
Summary
Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device.
References
Impacted products
Vendor Product Version
Medtronic Valleylab Exchange Client Version: 0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:57:39.230Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Valleylab Exchange Client",
          "vendor": "Medtronic",
          "versions": [
            {
              "lessThanOrEqual": "3.4",
              "status": "affected",
              "version": "0",
              "versionType": "c"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Valleylab FT10 Energy Platform (VLFT10GEN)",
          "vendor": "Medtronic",
          "versions": [
            {
              "lessThanOrEqual": "software version 4.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Valleylab FX8 Energy Platform (VLFX8GEN)",
          "vendor": "Medtronic",
          "versions": [
            {
              "lessThanOrEqual": "software version 1.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Medtronic reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMedtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device.\u003c/p\u003e"
            }
          ],
          "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T19:03:49.976Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02"
        },
        {
          "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSoftware patches are currently available for the FT10 platform and will be available in early 2020 for the FX8 platform. Until these updates can be applied, Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet). Patches can be downloaded at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/covidien/en-us/support/software.html\"\u003ehttps://www.medtronic.com/covidien/en-us/support/software.html\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e"
            }
          ],
          "value": "Software patches are currently available for the FT10 platform and will be available in early 2020 for the FX8 platform. Until these updates can be applied, Medtronic recommends to either disconnect affected products from IP networks or to segregate those networks, such that the devices are not accessible from an untrusted network (e.g., Internet). Patches can be downloaded at the following location:\n\n https://www.medtronic.com/covidien/en-us/support/software.html \n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"
        }
      ],
      "source": {
        "advisory": "ICSMA-19-311-02",
        "discovery": "INTERNAL"
      },
      "title": "Medtronic Valleylab FT10 and FX8 Use of Hard-coded Credentials",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2019-13543",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Valleylab Exchange Client",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "version 3.4 and below"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Valleylab FT10 Energy Platform (VLFT10GEN)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "software version 4.0.0 and below"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Valleylab FX8 Energy Platform (VLFX8GEN)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "software version 1.1.0 and below"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Medtronic"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "USE OF HARD-CODED CREDENTIALS CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2019-13543",
    "datePublished": "2019-11-08T19:03:51",
    "dateReserved": "2019-07-11T00:00:00",
    "dateUpdated": "2025-05-22T19:03:49.976Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-13543\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2019-11-08T20:15:10.853\",\"lastModified\":\"2025-05-22T19:15:23.257\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device.\"},{\"lang\":\"es\",\"value\":\"Medtronic Valleylab Exchange Client versi\u00f3n 3.4 y anteriores, Valleylab FT10 Energy Platform (VLFT10GEN) versi\u00f3n de software 4.0.0 y anteriores, y Valleylab FX8 Energy Platform (VLFX8GEN) versi\u00f3n 1.1.0 y anteriores, utilizan m\u00faltiples conjuntos de credenciales embebidas. Si se descubren, se pueden utilizar para leer archivos en el dispositivo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:medtronic:valleylab_exchange_client:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.4\",\"matchCriteriaId\":\"B346570A-3BF0-4BD6-912D-1754DFA49264\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:medtronic:valleylab_ft10_energy_platform_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.0.0\",\"matchCriteriaId\":\"9428AFA2-E198-41FE-A129-DD51D48CFAD3\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:medtronic:valleylab_ft10_energy_platform:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"164230CB-E2BF-447F-8537-C9401FA0CC09\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:medtronic:valleylab_fx8_energy_platform_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.1.0\",\"matchCriteriaId\":\"DEAA803B-F89B-4D2A-820B-9F337778AE70\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:medtronic:valleylab_fx8_energy_platform:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E18B428C-13F4-458C-A0A2-13FA801C9FFC\"}]}]}],\"references\":[{\"url\":\"https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsma-19-311-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.