US-CERT Warns of Critical Flaws in Medtronic Equipment (Nov 13, 2019)
United States Computer Emergency Readiness Team (US-CERT) has issued a warning about security flaws in Medtronic medical equipment used by surgeons during operations. The equipment, Valleylab FT10 and FX8 electrosurgical generators, have four reported flaws, with two of the flaws (“CVE-2019-3464” and “CVE-2019-3463”) being reported as critical in severity. Vulnerable devices often have a remote management utility enabled, and using an unpatched version could give a malicious actor administrative access with the ability to execute code. There are also flaws (“CVE-2019-13539” and “CVE-2019-13543”) caused by reversible password hashes and hard-coded credentials. Patches are available for Valleylab FT10, with the FX8 patches available in early 2020, according to Medtronic. The equipment is used exclusively in hospitals, which means locating vulnerable equipment for patching should be relatively less difficult than more commonly used medical equipment.
Recommendation: It is important that your company has patch-maintenance policies in place. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.