CVE-2019-13543 - OpenCVE

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Medtronic	Valleylab Fx8 Energy Platform Firmware Valleylab Ft10 Energy Platform Valleylab Exchange Client Valleylab Fx8 Energy Platform Valleylab Ft10 Energy Platform Firmware

Configuration 1 [-]

cpe:2.3:a:medtronic:valleylab_exchange_client:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:medtronic:valleylab_ft10_energy_platform_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:valleylab_ft10_energy_platform:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:medtronic:valleylab_fx8_energy_platform_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:valleylab_fx8_energy_platform:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsma-19-311-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2019-11-08T19:03:51

Updated: 2019-11-08T19:03:51

Reserved: 2019-07-11T00:00:00

Link: CVE-2019-13543

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-11-08T20:15:10.853

Modified: 2019-11-13T21:07:34.660

Link: CVE-2019-13543

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"product": "Valleylab Exchange Client", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "version 3.4 and below"}]}, {"product": "Valleylab FT10 Energy Platform (VLFT10GEN)", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "software version 4.0.0 and below"}]}, {"product": "Valleylab FX8 Energy Platform (VLFX8GEN)", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "software version 1.1.0 and below"}]}], "descriptions": [{"lang": "en", "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "USE OF HARD-CODED CREDENTIALS CWE-798", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-11-08T19:03:51", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-13543", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Valleylab Exchange Client", "version": {"version_data": [{"version_value": "version 3.4 and below"}]}}, {"product_name": "Valleylab FT10 Energy Platform (VLFT10GEN)", "version": {"version_data": [{"version_value": "software version 4.0.0 and below"}]}}, {"product_name": "Valleylab FX8 Energy Platform (VLFX8GEN)", "version": {"version_data": [{"version_value": "software version 1.1.0 and below"}]}}]}, "vendor_name": "Medtronic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "USE OF HARD-CODED CREDENTIALS CWE-798"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-13543", "datePublished": "2019-11-08T19:03:51", "dateReserved": "2019-07-11T00:00:00", "dateUpdated": "2019-11-08T19:03:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:medtronic:valleylab_exchange_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "B346570A-3BF0-4BD6-912D-1754DFA49264", "versionEndIncluding": "3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:valleylab_ft10_energy_platform_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9428AFA2-E198-41FE-A129-DD51D48CFAD3", "versionEndIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:valleylab_ft10_energy_platform:-:*:*:*:*:*:*:*", "matchCriteriaId": "164230CB-E2BF-447F-8537-C9401FA0CC09", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:valleylab_fx8_energy_platform_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEAA803B-F89B-4D2A-820B-9F337778AE70", "versionEndIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:valleylab_fx8_energy_platform:-:*:*:*:*:*:*:*", "matchCriteriaId": "E18B428C-13F4-458C-A0A2-13FA801C9FFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device."}, {"lang": "es", "value": "Medtronic Valleylab Exchange Client versi\u00f3n 3.4 y anteriores, Valleylab FT10 Energy Platform (VLFT10GEN) versi\u00f3n de software 4.0.0 y anteriores, y Valleylab FX8 Energy Platform (VLFX8GEN) versi\u00f3n 1.1.0 y anteriores, utilizan m\u00faltiples conjuntos de credenciales embebidas. Si se descubren, se pueden utilizar para leer archivos en el dispositivo."}], "id": "CVE-2019-13543", "lastModified": "2019-11-13T21:07:34.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-08T20:15:10.853", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}