Valleylab™ FX8 Electrosurgical Generator DDS Vulnerability Security Bulletin

June 9, 2022

Impacted Product

Valleylab FX8 product images

The Valleylab™ FX8 energy platform is used in operating rooms to power energy devices that assist healthcare providers1 during surgical procedures. The FX8 has a Covidien label on the top of the generator, as Covidien is owned by Medtronic.

Covidien FX8 label

Vulnerability Summary

Through routine monitoring, Medtronic identified security vulnerabilities2 in the Data Distribution Service (DDS) software component used in Medtronic’s Valleylab FX8 energy platform (versions prior to 1.1.2). These vulnerabilities could allow an unauthorized individual, either through a network connection or through physical access to the device, to cause the generator to not function. If these vulnerabilities were to be exploited3, the FX8 display would show the “Fail Safe” mode and indicate that the generator is inoperable.

To date, no cyberattack, no unauthorized access to patient data, and no harm to patients has been observed with these vulnerabilities.

Medtronic recommends that healthcare providers continue to use these devices as intended.

Mitigation

Customers should upgrade the Valleylab™ FX8 with the latest software release version 1.1.2 which addresses this vulnerability. This software update is currently available.

These vulnerabilities are exploitable if the devices are connected to a network. The FX8 cannot be connected to a network during clinical use and is only connected to a network when actively undergoing system updates or servicing. Therefore, there are no intraoperative safety risks to the patient.  Potential patient risk is limited to a minor delay of treatment prior to initiation of surgical procedure while obtaining another device. The following items are actions that a healthcare delivery organization can take to mitigate the risk of these vulnerabilities:

  • When connecting these devices to a network for system updates or servicing, ensure the network is secure. 
  • Maintain good physical security controls around the product to prevent unintended access by an unauthorized user.

This software update should be applied during servicing to align with how organizations regularly maintain their FX8 generators.  This may be through the hospital’s biomedical engineering team, Medtronic sales or service representative, or by sending the device to a Medtronic service center.

Only connect the FX8 to the service laptop when updating the FX8. The FX8 should never be connected to any other system or network. When not in use, the FX8 should be disconnected and powered off. Ensure the service laptop is secure. Ensure the service laptop is connected to a secure local network.

View larger image


Devices can continue to be used until the software update is completed. Customers with multiple Valleylab™ generators will need to update each system individually.

Customers should contact their local sales representative for additional information.

If you suspect security issue has occurred with your device, please contact Medtronic at rs.assurancequality@medtronic.com.

If you have other product security questions, please contact Medtronic’s Product Security Office at security@medtronic.com

Additional technical details

The exposed vulnerability is a memory corruption that can be triggered by sending a malformed network packet to the running DDS application, which requires network connection to the target node. An attack could result in the devices becoming inoperable. This has a CVSS 3.0 score of 5.3 with all versions of software prior to 1.1.2 in the FX8. The score of 5.3 is the unmitigated score before the patch is applied. The CVE number is CVE-2021-43547.

Definition of terms

  1. Healthcare provider - A healthcare provider is any person or organization that furnishes healthcare services and supplies, bills for them, or is paid for them. In this case, healthcare providers can be individuals (doctors or nurses) or organizations (hospitals, clinics, practice groups, along with their administrative staff). Healthcare researchers are also considered providers. 
  2. Vulnerability - A vulnerability is a weakness in systems, software or products that compromises security. A vulnerability allows people to perform bad actions on those same systems, software, and products. 
  3. Exploit - An exploit is a program or methodology created to take advantage of a vulnerability in a system or product to gain unauthorized access or negatively affect proper operation.