Security bulletins
Valleylab™ FT10 energy platform DDS vulnerability
Get information about a security vulnerability in our Valleylab™ FT10 energy platform DDS and steps to mitigate the risks.
Original post date: June 9, 2022
Updated on July 11, 2023: The mitigation section has been changed to reflect that a software update is now available.
Impacted product
The Valleylab™ FT10 energy platform is used in operating rooms to power energy devices that assist healthcare providers (1) during surgical procedures. The FT10 has a Covidien label on the top of the generator, as Covidien is owned by Medtronic.
Vulnerability summary
Through routine monitoring, Medtronic identified security vulnerabilities (2) in the Data Distribution Service (DDS) software component used in the Medtronic Valleylab™ FT10 energy platform (all pervious software versions). These vulnerabilities could allow an unauthorized individual, either through a network connection or through physical access to the device, cause the generator to not function. If these vulnerabilities were to be exploited (3), the FT10 display would show the “Fail Safe” mode and indicate that the generator is inoperable.
To date, no patient harm, cyberattack or data breach involving a Medtronic product has been observed or associated with this vulnerability.
Medtronic recommends that healthcare providers continue to use these devices as intended.
Mitigation
These vulnerabilities are exploitable if the devices are connected to a network. The FT10 cannot be connected to a network during clinical use and is only connected to a network when actively undergoing system updates or servicing. Therefore, there are no intraoperative safety risks to the patient. Potential patient risk is limited to a minor delay of treatment prior to initiation of surgical procedure while obtaining another device
A software update to address this vulnerability is available as of July 2023. The software update should be applied at the time of servicing to align with how organizations regularly have their FT10 generators maintained. This may be through the hospital’s biomedical engineering team, Medtronic sales or service representative, or by sending the device to a Medtronic service center. Devices can continue to be used until the software update is available. Customers with multiple Valleylab™ generators will need to update each system individually.
In the meantime, the following items are actions that a healthcare organization can take to mitigate the risk of these vulnerabilities:
- When connecting these devices to a service laptop for system updates or servicing, ensure any network connections are secure.
- Maintain good physical security controls around the product to prevent access by an unauthorized user.
Customers should contact their local sales representative for additional information.
If you suspect a security issue has occurred with this device or have questions about the future update, please contact Medtronic at rs.assurancequality@medtronic.com.
If you have other product security questions, please contact the Medtronic Product Security Office at security@medtronic.com.
Additional technical details
The exposed vulnerability is a memory corruption that can be triggered by sending a malformed network packet to the running DDS application, which requires network connection to the target node. An attack could result in the devices becoming inoperable. This has a CVSS 3.0 score of 5.3 as it is implemented in the FT10 with the previous software versions. The score of 5.3 is the unmitigated score before the patch is applied. The CVE number is CVE-2021-43547.
Definition of terms
- Healthcare provider — A healthcare provider is any person or organization that furnishes healthcare services and supplies, bills for them, or is paid for them. In this case, healthcare providers can be individuals (doctors or nurses) or organizations (hospitals, clinics, practice groups, along with their administrative staff). Healthcare researchers are also considered providers.
- Vulnerability — A vulnerability is a weakness in systems, software or products that compromises security. A vulnerability allows people to perform bad actions on those same systems, software, and products.
- Exploit — An exploit is a program or methodology created to take advantage of a vulnerability in a system or product to gain unauthorized access or negatively affect proper operation.