Full Report
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.6 ATTENTION: Low attack complexity Vendor: Ossur Equipment: Mobile Logic Application Vulnerabilities: Exposure of Sensitive System Information to an Unauthorized Control Sphere, Command Injection, Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker unauthorized access to sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Ossur products are affected: Logic Mobile Application: Versions prior to 1.5.5 3.2 Vulnerability Overview 3.2.1 EXPOSURE OF SENSITIVE SYSTEM INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497 A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA. An attacker could use the information to disrupt normal use of the application by changing the translation files and thus weaken the integrity of normal use. CVE-2024-53683 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2024-53683. A base score of 5.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77 Multiple bash files were present in the application's private directory. Bash files can be used on their own, by an attacker that has already full access to the mobile platform to compromise the translations for the application. CVE-2024-54681 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L). A CVSS v4 score has also been calculated for CVE-2024-54681. A base score of 2.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N). 3.2.3 USE OF HARD-CODED CREDENTIALS CWE-798 Hard-coded credentials were included as part of the application binary. These credentials served as part of the application authentication flow and communication with the mobile application. An attacker could access unauthorized information. CVE-2024-45832 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). A CVSS v4 score has also been calculated for CVE-2024-45832. A base score of 2.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:H/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Iceland 3.4 RESEARCHER Bryan Riggins reported these vulnerabilities to CISA. 4. MITIGATIONS Ossur recommends users download Version 1.5.5 or later of the mobile application. The latest version of the application can be obtained through the app store on respective mobile devices. No additional action is required by users. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. 5. UPDATE HISTORY December 19, 2024: Initial Publication
Analysis Summary
# Vulnerability: Multiple Flaws in Ossur Mobile Logic Application Leading to Information Disclosure and Integrity Compromise
## CVE Details
- CVE ID: CVE-2024-53683
- CVSS Score: 5.6 (Medium) based on CVSS v4.0
- CWE: Not explicitly listed, but related to Hard-coded Credentials and integrity checks.
- CVE ID: CVE-2024-54681
- CVSS Score: 2.0 (Low) based on CVSS v4.0
- CWE: Not explicitly listed, related to improper file access/integrity.
- CVE ID: CVE-2024-45832
- CVSS Score: 2.0 (Low) based on CVSS v4.0
- CWE: Not explicitly listed, related to Use of Hard-coded Credentials.
*(Note: The overall summary mentions a CVSS v4.0 score of 5.6, which aligns with the highest scoring component, while the individual CVEs have lower scores.)*
## Affected Systems
- Products: Ossur Logic Mobile Application
- Versions: Prior to 1.5.5
- Configurations: Exploits require some level of access to the mobile platform to leverage certain flaws (e.g., CVE-2024-54681).
## Vulnerability Description
The Ossur Mobile Logic Application contains multiple security flaws discovered through decompilation analysis:
1. **Hard-coded Credentials/Static Token (CVE-2024-53683):** Valid credentials and a static token used for communication were successfully extracted from the decompiled IPA file. This allows an attacker to disrupt application use by modifying translation files, weakening integrity.
2. **Presence of Bash Files (CVE-2024-54681):** Multiple bash files were found in the application's private directory. If an attacker gains full access to the mobile platform, these files can be used to compromise application translations.
3. **Hard-coded Credentials (CVE-2024-45832):** Hard-coded credentials integral to the application's authentication and communication flow were present in the binary, potentially allowing an attacker to access unauthorized information.
## Exploitation
- Status: No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
- Complexity: Low (CVE-2024-53683 and CVE-2024-54681 mention Low Attack Complexity).
- Attack Vector: Generally Local/Adjacent, as full access to the mobile platform may be required for the most severe integrity compromises (CVE-2024-54681). Note that remote exploitation is explicitly stated as **not possible** for these flaws.
## Impact
- Confidentiality: Low/Moderate (Exposure of information via hard-coded credentials - CVE-2024-45832).
- Integrity: High (Ability to disrupt normal use and change translations - CVE-2024-53683).
- Availability: Low (Potential for disruption - CVE-2024-53683).
## Remediation
### Patches
- Upgrade to **Logic Mobile Application Version 1.5.5 or later**.
### Workarounds
- No additional action is required by users if the application is updated to the patched version.
- General network security recommendations provided by CISA should be followed to minimize the overall attack surface:
* Minimize network exposure of dependent control system devices.
* Isolate control system networks behind firewalls.
* Use secure methods like updated VPNs for required remote access.
## Detection
- Indicators of compromise would likely involve unexpected changes in application behavior, altered translations, or unauthorized communication patterns if the hardcoded tokens/credentials were leveraged.
- Detection methods are focused on general hardening (listed in Mitigation). No specific IoCs are provided for these application-layer flaws.
## References
- Vendor Advisory: Ossur (Implied via CISA summary)
- Relevant Links:
* hXXps://github.com/cisagov/CSAF (Source material)
* CISA hardening guides (hXXps://www.cisa.gov/topics/industrial-control-systems)