github - ghsa-3xgp-qw97-rfg4

ghsa-3xgp-qw97-rfg4

Vulnerability from github

Published

2022-05-24 19:16

Modified

2022-10-27 19:00

Severity ?

7.6 (High) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-38392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.",
  "id": "GHSA-3xgp-qw97-rfg4",
  "modified": "2022-10-27T19:00:39Z",
  "published": "2022-05-24T19:16:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38392"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2021-38392

Vulnerability from cvelistv5

Published

2021-10-04 17:35

Modified

2024-09-17 03:33

Severity ?

6.5 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

Summary

References

▼	URL	Tags
	https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Boston Scientific

ZOOM LATITUDE

Version: Model 3120

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:37:16.580Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ZOOM LATITUDE",
          "vendor": "Boston Scientific",
          "versions": [
            {
              "status": "affected",
              "version": "Model 3120"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Endres Puschner - Max Planck Institute for Security and Privacy, Bochum, Christoph Saatjohann - FH M\u00fcnster  University of Applied Sciences, Christian Dresen - FH M\u00fcnster University of Applied Sciences, and Markus  Willing - University of Muenster, discovered these issues as part of broader academic research of cardiac devices  and reported them to Boston Scientific."
        }
      ],
      "datePublic": "2021-09-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-04T17:35:13",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"
        }
      ],
      "source": {
        "advisory": "ICSMA-21-273-01",
        "defect": [
          "CWE-284"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Improper Access Control for Boston Scientific Zoom Latitude",
      "workarounds": [
        {
          "lang": "en",
          "value": "Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security,  the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2021-09-30T21:02:00.000Z",
          "ID": "CVE-2021-38392",
          "STATE": "PUBLIC",
          "TITLE": "Improper Access Control for Boston Scientific Zoom Latitude"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ZOOM LATITUDE",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Model 3120"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Boston Scientific"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Endres Puschner - Max Planck Institute for Security and Privacy, Bochum, Christoph Saatjohann - FH M\u00fcnster  University of Applied Sciences, Christian Dresen - FH M\u00fcnster University of Applied Sciences, and Markus  Willing - University of Muenster, discovered these issues as part of broader academic research of cardiac devices  and reported them to Boston Scientific."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284 Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01"
            }
          ]
        },
        "source": {
          "advisory": "ICSMA-21-273-01",
          "defect": [
            "CWE-284"
          ],
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security,  the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-38392",
    "datePublished": "2021-10-04T17:35:13.879926Z",
    "dateReserved": "2021-08-10T00:00:00",
    "dateUpdated": "2024-09-17T03:33:08.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted