PatchSiren cyber security CVE debrief
CVE-2024-45832 Ossur CVE debrief
CVE-2024-45832 is a medium-severity vulnerability (CVSS 4.3) in the Ossur Logic Mobile Application, published by CISA on December 19, 2024. The issue involves hard-coded credentials embedded within the application binary, which were used as part of the authentication flow and communication with the mobile application. An attacker with physical access to the device could potentially extract these credentials and access unauthorized information. The vulnerability affects versions prior to 1.5.5. Ossur has released version 1.5.5 to address this issue, which is available through standard mobile app stores. Users should update to the patched version through their device's app store. No additional configuration changes are required after updating.
- Vendor
- Ossur
- Product
- Logic Mobile Application
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-19
- Original CVE updated
- 2024-12-19
- Advisory published
- 2024-12-19
- Advisory updated
- 2024-12-19
Who should care
Healthcare organizations using Ossur Logic Mobile Application for patient monitoring or device management; clinical engineering and biomedical teams responsible for mobile medical device security; IT security teams in healthcare settings managing mobile device deployments; patients or caregivers using the Ossur Logic Mobile Application for personal health management; compliance officers responsible for FDA cybersecurity guidance adherence for medical devices
Technical summary
The Ossur Logic Mobile Application contained hard-coded credentials embedded directly in the application binary. These credentials were utilized in the application's authentication flow and for communication with backend services. Because the credentials were statically compiled into the binary, they could be extracted through reverse engineering techniques by an attacker with physical access to a device running the vulnerable application version. This exposure could enable unauthorized access to patient or device information. The vulnerability is classified as medium severity (CVSS 3.1: 4.3, CVSS 4.0: 5.3) with a physical attack vector, low attack complexity, and no privileges required. The confidentiality, integrity, and availability impacts are rated as low. Ossur addressed this vulnerability in version 1.5.5 by removing the hard-coded credentials and implementing proper credential management.
Defensive priority
medium
Recommended defensive actions
- Update the Ossur Logic Mobile Application to version 1.5.5 or later through your device's official app store (Apple App Store or Google Play Store)
- Verify the installed application version is 1.5.5 or higher in the application settings or app store listing
- Ensure automatic app updates are enabled on mobile devices to receive future security patches promptly
- Review mobile device security policies to restrict installation of applications from unofficial sources
- Consider implementing mobile device management (MDM) solutions for healthcare environments using this application to enforce update compliance
Evidence notes
Hard-coded credentials were included as part of the application binary. These credentials served as part of the application authentication flow and communication with the mobile application. An attacker could access unauthorized information.
Official resources
-
CVE-2024-45832 CVE record
CVE.org
-
CVE-2024-45832 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-19