CVE-2021-38396

Missing Support Integrity Check for Boston Scientific Zoom Latitude

Description

The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.

Remediation

Workaround:

Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security, the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120.

References

Link	Tags
https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01	third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2021-38396?: CVE-2021-38396 has been scored as a medium severity vulnerability.
How to fix CVE-2021-38396?: As a workaround for remediating CVE-2021-38396: Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security, the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120.
Is CVE-2021-38396 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-38396 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-38396?: CVE-2021-38396 affects Boston Scientific ZOOM LATITUDE.

Description

Remediation

Categories

CWE-353 – Missing Support for Integrity Check

CWE-345 – Insufficient Verification of Data Authenticity

References

Frequently Asked Questions