Lucene search

IcscertCVE-2019-13539

HistoryNov 08, 2019 - 8:15 p.m.

CVE-2019-13539

2019-11-0820:15:10

CWE-326

CWE-328

icscert

web.nvd.nist.gov

medtronic

valleylab exchange client

valleylab ft10 energy platform

vlft10gen

valleylab fx8 energy platform

vlfx8gen

cve-2019-13539

vulnerability

os password hashing

local shell access

nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

Percentile

10.4%

JSON

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.

Affected configurations

Nvd

Node

medtronicvalleylab_exchange_clientRange≤3.4

Node

medtronicvalleylab_ft10_energy_platform_firmwareRange≤4.0.0

AND

medtronicvalleylab_ft10_energy_platformMatch-

Node

medtronicvalleylab_fx8_energy_platform_firmwareRange≤1.1.0

AND

medtronicvalleylab_fx8_energy_platformMatch-

VendorProductVersionCPE
medtronicvalleylab_exchange_client*cpe:2.3:a:medtronic:valleylab_exchange_client:*:*:*:*:*:*:*:*
medtronicvalleylab_ft10_energy_platform_firmware*cpe:2.3:o:medtronic:valleylab_ft10_energy_platform_firmware:*:*:*:*:*:*:*:*
medtronicvalleylab_ft10_energy_platform-cpe:2.3:h:medtronic:valleylab_ft10_energy_platform:-:*:*:*:*:*:*:*
medtronicvalleylab_fx8_energy_platform_firmware*cpe:2.3:o:medtronic:valleylab_fx8_energy_platform_firmware:*:*:*:*:*:*:*:*
medtronicvalleylab_fx8_energy_platform-cpe:2.3:h:medtronic:valleylab_fx8_energy_platform:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
medtronic	valleylab_exchange_client	*	cpe:2.3:a:medtronic:valleylab_exchange_client::::::::
medtronic	valleylab_ft10_energy_platform_firmware	*	cpe:2.3:o:medtronic:valleylab_ft10_energy_platform_firmware::::::::
medtronic	valleylab_ft10_energy_platform	-	cpe:2.3:h:medtronic:valleylab_ft10_energy_platform:-:::::::*
medtronic	valleylab_fx8_energy_platform_firmware	*	cpe:2.3:o:medtronic:valleylab_fx8_energy_platform_firmware::::::::
medtronic	valleylab_fx8_energy_platform	-	cpe:2.3:h:medtronic:valleylab_fx8_energy_platform:-:::::::*

CNA Affected

[
  {
    "product": "Valleylab Exchange Client",
    "vendor": "Medtronic",
    "versions": [
      {
        "status": "affected",
        "version": "version 3.4 and below"
      }
    ]
  },
  {
    "product": "Valleylab FT10 Energy Platform (VLFT10GEN)",
    "vendor": "Medtronic",
    "versions": [
      {
        "status": "affected",
        "version": "software version 4.0.0 and below"
      }
    ]
  },
  {
    "product": "Valleylab FX8 Energy Platform (VLFX8GEN)",
    "vendor": "Medtronic",
    "versions": [
      {
        "status": "affected",
        "version": "software version 1.1.0 and below"
      }
    ]
  }
]

References

www.us-cert.gov/ics/advisories/icsma-19-311-02

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

Percentile

10.4%

JSON

Related for CVE-2019-13539