MidnightBSD

Advisories for bostonscientific

CVE-2017-14012 LOW

Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at rest. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

CVSS 2.0

Severity: LOW

Problem Type: CWE-311,CWE-311,

Products Affected

Vendor Product Version
bostonscientific zoom_latitude_prm_3120_firmware -
CVE-2017-14014 LOW

Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

CVSS 2.0

Severity: LOW

Problem Type: CWE-321,CWE-798,

Products Affected

Vendor Product Version
bostonscientific zoom_latitude_prm_3120_firmware -
CVE-2021-38392 HIGH

A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 6.5 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L 0.7 5.3
nvd@nist.gov 7.6 HIGH CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 0.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
bostonscientific zoom_latitude_pogrammer/recorder/monitor_3120_firmware *
CVE-2021-38394 MEDIUM

An attacker with physical access to the device can extract the binary that checks for the hardware key and reverse engineer it, which could be used to create a physical duplicate of a valid hardware key. The hardware key allows access to special settings when inserted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 0.5 5.9
ics-cert@hq.dhs.gov 6.2 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L 0.4 5.3

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1278,

Products Affected

Vendor Product Version
bostonscientific zoom_latitude_pogrammer/recorder/monitor_3120_firmware *
CVE-2021-38396 MEDIUM

The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 6.5 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L 0.7 5.3
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-353,CWE-345,

Products Affected

Vendor Product Version
bostonscientific zoom_latitude_pogrammer/recorder/monitor_3120_firmware *
CVE-2021-38398 MEDIUM

The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 6.5 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L 0.7 5.3
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1329,NVD-CWE-Other,

Products Affected

Vendor Product Version
bostonscientific zoom_latitude_programming_system_model_3120_firmware -
bostonscientific zoom_latitude_pogrammer/recorder/monitor_3120_firmware *
CVE-2021-38400 MEDIUM

An attacker with physical access to Boston Scientific Zoom Latitude Model 3120 can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9
ics-cert@hq.dhs.gov 6.9 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L 0.4 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-916,CWE-916,

Products Affected

Vendor Product Version
bostonscientific zoom_latitude_pogrammer/recorder/monitor_3120_firmware *