Ossur Mobile Logic Application

Monitor4.4ICS-CERT ICSMA-24-354-01Dec 19, 2024

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Ossur Logic Mobile Application versions earlier than 1.5.5 contain multiple vulnerabilities related to weak credential storage (CWE-798), exposure of sensitive information (CWE-497), and improper command injection handling (CWE-77). These weaknesses could allow an attacker with local access and elevated privileges to extract sensitive information from the application. No public exploitation has been reported. The vulnerabilities are not remotely exploitable.

What this means

What could happen

An attacker with administrative access to an affected mobile device could extract sensitive information from the Logic Mobile Application without authorization. This could include patient data, device settings, or operational credentials if stored in the app.

Who's at risk

Prosthetics and orthotics manufacturers, healthcare facilities, and rehabilitation centers using Ossur Logic Mobile Application to monitor or control powered prosthetic devices or orthotic systems are affected. Device engineers and technicians who use the app to manage or troubleshoot prosthetic equipment are at risk.

How it could be exploited

An attacker with physical or local access to a mobile device running Logic Mobile Application versions before 1.5.5 can exploit weak credential storage and command injection vulnerabilities to read sensitive data from the application's memory or local storage.

Prerequisites

Physical or local access to a mobile device running affected application
Administrative or privileged user access on the device
Logic Mobile Application version earlier than 1.5.5 installed

Local access only (not remotely exploitable)Requires privileged user accessLow attack complexityWeak credential storage mechanismsAffects sensitive patient and device data

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Logic Mobile Application: <1.5.5<1.5.51.5.5 or later

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Logic Mobile Application to version 1.5.5 or later via the app store on mobile devices

Long-term hardening

0/3

HARDENINGEnforce mobile device management (MDM) policies to restrict application installations and enforce automatic updates

HARDENINGEnsure mobile devices used to access control systems are not connected to the Internet or only through secure VPN tunnels

HARDENINGImplement endpoint security controls to prevent unauthorized access to mobile devices

CVEs (3)

CVE-2024-53683 CVE-2024-54681 CVE-2024-45832

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/68d53dc1-703f-46ce-9166-0eb49d522053