CVE-2019-13539 - OpenCVE

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Medtronic	Valleylab Exchange Client Valleylab Ft10 Energy Platform Valleylab Ft10 Energy Platform Firmware Valleylab Fx8 Energy Platform Valleylab Fx8 Energy Platform Firmware

Configuration 1 [-]

cpe:2.3:a:medtronic:valleylab_exchange_client:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:medtronic:valleylab_ft10_energy_platform_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:valleylab_ft10_energy_platform:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:medtronic:valleylab_fx8_energy_platform_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:valleylab_fx8_energy_platform:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.us-cert.gov/ics/advisories/icsma-19-311-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-11-08T19:07:59

Updated: 2024-08-04T23:57:39.467Z

Reserved: 2019-07-11T00:00:00

Link: CVE-2019-13539

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-11-08T20:15:10.743

Modified: 2020-10-09T13:11:28.173

Link: CVE-2019-13539

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Valleylab Exchange Client", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "version 3.4 and below"}]}, {"product": "Valleylab FT10 Energy Platform (VLFT10GEN)", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "software version 4.0.0 and below"}]}, {"product": "Valleylab FX8 Energy Platform (VLFX8GEN)", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "software version 1.1.0 and below"}]}], "descriptions": [{"lang": "en", "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-328", "description": "REVERSIBLE ONE-WAY HASH CWE-328", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-11-08T19:07:59", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-13539", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Valleylab Exchange Client", "version": {"version_data": [{"version_value": "version 3.4 and below"}]}}, {"product_name": "Valleylab FT10 Energy Platform (VLFT10GEN)", "version": {"version_data": [{"version_value": "software version 4.0.0 and below"}]}}, {"product_name": "Valleylab FX8 Energy Platform (VLFX8GEN)", "version": {"version_data": [{"version_value": "software version 1.1.0 and below"}]}}]}, "vendor_name": "Medtronic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "REVERSIBLE ONE-WAY HASH CWE-328"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:57:39.467Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-13539", "datePublished": "2019-11-08T19:07:59", "dateReserved": "2019-07-11T00:00:00", "dateUpdated": "2024-08-04T23:57:39.467Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:medtronic:valleylab_exchange_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "B346570A-3BF0-4BD6-912D-1754DFA49264", "versionEndIncluding": "3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:valleylab_ft10_energy_platform_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9428AFA2-E198-41FE-A129-DD51D48CFAD3", "versionEndIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:valleylab_ft10_energy_platform:-:*:*:*:*:*:*:*", "matchCriteriaId": "164230CB-E2BF-447F-8537-C9401FA0CC09", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:valleylab_fx8_energy_platform_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEAA803B-F89B-4D2A-820B-9F337778AE70", "versionEndIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:valleylab_fx8_energy_platform:-:*:*:*:*:*:*:*", "matchCriteriaId": "E18B428C-13F4-458C-A0A2-13FA801C9FFC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes."}, {"lang": "es", "value": "Medtronic Valleylab Exchange Client versi\u00f3n 3.4 y anteriores, Valleylab FT10 Energy Platform (VLFT10GEN) versi\u00f3n de software 4.0.0 y anteriores, y Valleylab FX8 Energy Platform (VLFX8GEN) versi\u00f3n 1.1.0 y anteriores, utilizan el algoritmo de descifrado para el hash de contrase\u00f1a del sistema operativo. Si bien los inicios de sesi\u00f3n interactivos basados ??en la red est\u00e1n deshabilitados, y los atacantes pueden usar las otras vulnerabilidades dentro de este reporte para obtener acceso de shell local y acceder a estos hashes."}], "id": "CVE-2019-13539", "lastModified": "2020-10-09T13:11:28.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-08T20:15:10.743", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-328"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}