Details of VAR-201911-1205

ID

VAR-201911-1205

CVE

CVE-2019-13539

TITLE

plural Medtronic Valleylab Vulnerability related to input validation in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-011886

DESCRIPTION

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes. Medtronic Valleylab FT10 and Valleylab FX8 are both a power supply device for the medical industry from Medtronic

Trust: 2.34

sources: NVD: CVE-2019-13539 // JVNDB: JVNDB-2019-011886 // CNVD: CNVD-2019-41424 // IVD: a983492d-dc48-4e04-9cd7-e50f961e4f75

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: a983492d-dc48-4e04-9cd7-e50f961e4f75 // CNVD: CNVD-2019-41424

AFFECTED PRODUCTS

vendor:	medtronic	model:	valleylab exchange client	scope:	lte	version:	3.4	Trust: 1.8
vendor:	medtronic	model:	valleylab ft10 energy platform	scope:	lte	version:	4.0.0	Trust: 1.8
vendor:	medtronic	model:	valleylab fx8 energy platform	scope:	lte	version:	1.1.0	Trust: 1.8
vendor:	medtronic	model:	valleylab exchange	scope:	lte	version:	<=3.4	Trust: 0.6
vendor:	medtronic	model:	valleylab ft10	scope:	lte	version:	<=4.0.0	Trust: 0.6
vendor:	medtronic	model:	valleylab fx8	scope:	lte	version:	<=1.1.0	Trust: 0.6
vendor:	valleylab exchange client	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	valleylab ft10 energy platform	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	valleylab fx8 energy platform	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: a983492d-dc48-4e04-9cd7-e50f961e4f75 // CNVD: CNVD-2019-41424 // JVNDB: JVNDB-2019-011886 // NVD: CVE-2019-13539

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13539
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2019-13539
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-13539
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-41424
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201911-432
value:	HIGH
Trust: 0.6
IVD:	a983492d-dc48-4e04-9cd7-e50f961e4f75
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2019-13539
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-41424
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	a983492d-dc48-4e04-9cd7-e50f961e4f75
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-13539
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2019-13539
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-13539
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: a983492d-dc48-4e04-9cd7-e50f961e4f75 // CNVD: CNVD-2019-41424 // JVNDB: JVNDB-2019-011886 // CNNVD: CNNVD-201911-432 // NVD: CVE-2019-13539 // NVD: CVE-2019-13539

PROBLEMTYPE DATA

problemtype:	CWE-328	Trust: 1.0
problemtype:	CWE-326	Trust: 1.0
problemtype:	CWE-20	Trust: 0.8

sources: JVNDB: JVNDB-2019-011886 // NVD: CVE-2019-13539

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-432

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201911-432

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011886

PATCH

title:	Top Page	url:	https://www.medtronic.com/us-en/index.html	Trust: 0.8
title:	Patch for Valleylab FT10 and Valleylab FX8 Input Validation Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/191117	Trust: 0.6
title:	Medtronic Valleylab FT10 Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=102695	Trust: 0.6

sources: CNVD: CNVD-2019-41424 // JVNDB: JVNDB-2019-011886 // CNNVD: CNNVD-201911-432

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13539	Trust: 3.2
db:	ICS CERT	id:	ICSMA-19-311-02	Trust: 3.0
db:	CNVD	id:	CNVD-2019-41424	Trust: 0.8
db:	CNNVD	id:	CNNVD-201911-432	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-011886	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.4211	Trust: 0.6
db:	IVD	id:	A983492D-DC48-4E04-9CD7-E50F961E4F75	Trust: 0.2

sources: IVD: a983492d-dc48-4e04-9cd7-e50f961e4f75 // CNVD: CNVD-2019-41424 // JVNDB: JVNDB-2019-011886 // CNNVD: CNNVD-201911-432 // NVD: CVE-2019-13539

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsma-19-311-02	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13539	Trust: 1.4
url:	https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html	Trust: 1.0
url:	https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13539	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.4211/	Trust: 0.6

sources: CNVD: CNVD-2019-41424 // JVNDB: JVNDB-2019-011886 // CNNVD: CNNVD-201911-432 // NVD: CVE-2019-13539

SOURCES

db:	IVD	id:	a983492d-dc48-4e04-9cd7-e50f961e4f75
db:	CNVD	id:	CNVD-2019-41424
db:	JVNDB	id:	JVNDB-2019-011886
db:	CNNVD	id:	CNNVD-201911-432
db:	NVD	id:	CVE-2019-13539

LAST UPDATE DATE

2025-05-23T23:05:13.354000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41424	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-011886	date:	2019-11-20T00:00:00
db:	CNNVD	id:	CNNVD-201911-432	date:	2020-10-10T00:00:00
db:	NVD	id:	CVE-2019-13539	date:	2025-05-22T19:15:23.083

SOURCES RELEASE DATE

db:	IVD	id:	a983492d-dc48-4e04-9cd7-e50f961e4f75	date:	2019-11-20T00:00:00
db:	CNVD	id:	CNVD-2019-41424	date:	2019-11-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-011886	date:	2019-11-20T00:00:00
db:	CNNVD	id:	CNNVD-201911-432	date:	2019-11-07T00:00:00
db:	NVD	id:	CVE-2019-13539	date:	2019-11-08T20:15:10.743