CVE-2019-13539

low-risk

Published 2019-11-08

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.

Do I need to act?

0.21% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.0/10 High

LOCAL / HIGH complexity

Affected Products (3)

Valleylab Exchange Client

Valleylab Ft10 Energy Platform Firmware

Valleylab Fx8 Energy Platform Firmware

Affected Vendors

Medtronic

References (3)

https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab...

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02

Third Party Advisory https://www.us-cert.gov/ics/advisories/icsma-19-311-02

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 9/34 · Low