7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.6 High
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
29.6%
Successful exploitation of these vulnerabilities may allow an attacker with physical access to the affected device to obtain patient protected health information (PHI), and/or compromise the integrity of the device. The affected device is not network connected and does not contain hardware to be network connected.
Boston Scientific reports these vulnerabilities affects the ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) Model 3120.
An attacker with physical access to the affected device can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password.
CVE-2021-38400 has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L).
An attacker with physical access to the device can extract the binary that checks for the hardware key and reverse engineer it, which could be used to create a physical duplicate of a valid hardware key. The hardware key allows access to special settings when inserted.
CVE-2021-38394 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L).
A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.
CVE-2021-38392 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L).
The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.
CVE-2021-38396 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L).
The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.
CVE-2021-38398 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L).
Endres Puschner - Max Planck Institute for Security and Privacy, Bochum, Christoph Saatjohann - FH Mรผnster University of Applied Sciences, Christian Dresen - FH Mรผnster University of Applied Sciences, and Markus Willing - University of Muenster, discovered these issues as part of broader academic research of cardiac devices and reported them to Boston Scientific.
Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security, the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120.
To reduce the risk of exploitation, Boston Scientific recommends those still utilizing the ZOOM LATITUDE PRM Model 3120 implement the following measures:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01BโTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38392
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38394
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38396
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38398
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38400
cwe.mitre.org/data/definitions/1278.html
cwe.mitre.org/data/definitions/1329.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/353.html
cwe.mitre.org/data/definitions/916.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Boston%20Scientific%20Zoom%20Latitude+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-273-01
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics/recommended-practices
us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-273-01&title=Boston%20Scientific%20Zoom%20Latitude
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-273-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-273-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Boston%20Scientific%20Zoom%20Latitude&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-21-273-01
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.6 High
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
29.6%