Valleylab™ FX8 electrosurgical generator DDS vulnerability

Vulnerability summary

Through routine monitoring, Medtronic identified security vulnerabilities (2) in the Data Distribution Service (DDS) software component used in the Medtronic Valleylab™ FX8 energy platform (versions prior to 1.1.2). These vulnerabilities could allow an unauthorized individual, either through a network connection or through physical access to the device, to cause the generator to not function. If these vulnerabilities were to be exploited (3), the FX8 display would show the “Fail Safe” mode and indicate that the generator is inoperable.

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.

Medtronic recommends that healthcare providers continue to use these devices as intended.

Mitigation

Customers should upgrade the Valleylab™ FX8 with the latest software release version 1.1.2 which addresses this vulnerability. This software update is currently available.

These vulnerabilities are exploitable if the devices are connected to a network. The FX8 cannot be connected to a network during clinical use and is only connected to a network when actively undergoing system updates or servicing. Therefore, there are no intraoperative safety risks to the patient. Potential patient risk is limited to a minor delay of treatment prior to initiation of surgical procedure while obtaining another device. The following items are actions that a healthcare delivery organization can take to mitigate the risk of these vulnerabilities:

• When connecting these devices to a network for system updates or servicing, ensure the network is secure. 
• Maintain good physical security controls around the product to prevent unintended access by an unauthorized user.

This software update should be applied during servicing to align with how organizations regularly maintain their FX8 generators.  This may be through the hospital’s biomedical engineering team, Medtronic sales or service representative, or by sending the device to a Medtronic service center.

Devices can continue to be used until the software update is completed. Customers with multiple Valleylab™ generators will need to update each system individually.

Customers should contact their local sales representative for additional information.

If you suspect security issue has occurred with your device, please contact Medtronic at rs.assurancequality@medtronic.com.

If you have other product security questions, please contact the Medtronic Product Security Office at security@medtronic.com.

Additional technical details

The exposed vulnerability is a memory corruption that can be triggered by sending a malformed network packet to the running DDS application, which requires network connection to the target node. An attack could result in the devices becoming inoperable. This has a CVSS 3.0 score of 5.3 with all versions of software prior to 1.1.2 in the FX8. The score of 5.3 is the unmitigated score before the patch is applied. The CVE number is CVE-2021-43547.

Definition of terms

1. Healthcare provider — A healthcare provider is any person or organization that furnishes healthcare services and supplies, bills for them, or is paid for them. In this case, healthcare providers can be individuals (doctors or nurses) or organizations (hospitals, clinics, practice groups, along with their administrative staff). Healthcare researchers are also considered providers. 
2. Vulnerability — A vulnerability is a weakness in systems, software or products that compromises security. A vulnerability allows people to perform bad actions on those same systems, software, and products. 
3. Exploit — An exploit is a program or methodology created to take advantage of a vulnerability in a system or product to gain unauthorized access or negatively affect proper operation.