CVE-2021-38398 - OpenCVE

The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bostonscientific	Zoom Latitude Pogrammer\/recorder\/monitor 3120 Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware Zoom Latitude Programming System Model 3120 Zoom Latitude Programming System Model 3120 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:bostonscientific:zoom_latitude_programming_system_model_3120:-:*:*:*:*:*:*:*

cpe:2.3:o:bostonscientific:zoom_latitude_programming_system_model_3120_firmware:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:bostonscientific:zoom_latitude_pogrammer\/recorder\/monitor_3120:-:*:*:*:*:*:*:*

cpe:2.3:o:bostonscientific:zoom_latitude_pogrammer\/recorder\/monitor_3120_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-10-04T17:35:06.578644Z

Updated: 2024-09-16T17:58:22.688Z

Reserved: 2021-08-10T00:00:00

Link: CVE-2021-38398

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-04T18:15:09.280

Modified: 2022-09-10T02:44:50.837

Link: CVE-2021-38398

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ZOOM LATITUDE", "vendor": "Boston Scientific", "versions": [{"status": "affected", "version": "Model 3120"}]}], "credits": [{"lang": "en", "value": "Endres Puschner - Max Planck Institute for Security and Privacy, Bochum, Christoph Saatjohann - FH M\u00fcnster University of Applied Sciences, Christian Dresen - FH M\u00fcnster University of Applied Sciences, and Markus Willing - University of Muenster, discovered these issues as part of broader academic research of cardiac devices and reported them to Boston Scientific."}], "datePublic": "2021-09-30T00:00:00", "descriptions": [{"lang": "en", "value": "The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1329", "description": "CWE-1329", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-04T17:35:06", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"}], "source": {"advisory": "ICSMA-21-273-01", "defect": ["CWE-1329"], "discovery": "EXTERNAL"}, "title": "Reliance on Component that is not Updateable for Boston Scientific Zoom Latitude", "workarounds": [{"lang": "en", "value": "Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security, the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-09-30T21:02:00.000Z", "ID": "CVE-2021-38398", "STATE": "PUBLIC", "TITLE": "Reliance on Component that is not Updateable for Boston Scientific Zoom Latitude"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ZOOM LATITUDE", "version": {"version_data": [{"version_value": "Model 3120"}]}}]}, "vendor_name": "Boston Scientific"}]}}, "credit": [{"lang": "eng", "value": "Endres Puschner - Max Planck Institute for Security and Privacy, Bochum, Christoph Saatjohann - FH M\u00fcnster University of Applied Sciences, Christian Dresen - FH M\u00fcnster University of Applied Sciences, and Markus Willing - University of Muenster, discovered these issues as part of broader academic research of cardiac devices and reported them to Boston Scientific."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1329"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"}]}, "source": {"advisory": "ICSMA-21-273-01", "defect": ["CWE-1329"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security, the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:16.493Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38398", "datePublished": "2021-10-04T17:35:06.578644Z", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2024-09-16T17:58:22.688Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:bostonscientific:zoom_latitude_programming_system_model_3120:-:*:*:*:*:*:*:*", "matchCriteriaId": "D557CAD5-67DD-4610-9A6B-F9A6D0D214AC", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:bostonscientific:zoom_latitude_programming_system_model_3120_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B27B1568-6AC8-4347-B65D-FB26E76888E9", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:bostonscientific:zoom_latitude_pogrammer\\/recorder\\/monitor_3120:-:*:*:*:*:*:*:*", "matchCriteriaId": "3CA3DB8D-C7B6-4276-BD8B-16C2EFDB5474", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:bostonscientific:zoom_latitude_pogrammer\\/recorder\\/monitor_3120_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9D9AC21-FFE0-4A10-A236-04957BFCE2A3", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities."}, {"lang": "es", "value": "El dispositivo afectado usa componentes de software est\u00e1ndar que contienen vulnerabilidades sin parches. Un atacante malicioso con acceso f\u00edsico al dispositivo afectado podr\u00eda explotar estas vulnerabilidades"}], "id": "CVE-2021-38398", "lastModified": "2022-09-10T02:44:50.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.3, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2021-10-04T18:15:09.280", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1329"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Secondary"}]}