Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-47127
PUBLISHED
More InfoOfficial Page
Assigner-icscert
Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
View Known Exploited Vulnerability (KEV) details
Published At-26 Sep, 2024 | 17:27
Updated At-17 Oct, 2024 | 17:35
Rejected At-
▼CVE Numbering Authority (CNA)
Weak Authentication in goTenna Pro

In the goTenna Pro App there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing goTenna mesh networks. This vulnerability can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised. It is advised to share encryption keys via QR scanning for higher security operations and update your app to the current release for enhanced encryption protocols.

Affected Products
Vendor
goTenna
Product
Pro
Default Status
unaffected
Versions
Affected
  • From 0 through 1.61 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-1390CWE-1390 Weak Authentication
Type: CWE
CWE ID: CWE-1390
Description: CWE-1390 Weak Authentication
Metrics
VersionBase scoreBase severityVector
4.06.0MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3.16.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 4.0
Base score: 6.0
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

goTenna recommends that users mitigate these vulnerabilities by performing the following updates: * Android Pro: v2.0.3 or greater * iOS Pro: v2.0.3 or greater

Configurations
Workarounds

goTenna recommends that users follow these mitigations: General Mitigations for All Users/Clients * Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team. * Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates. * Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security. Pro-Specific Mitigations * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys. * Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure. * Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams. If you have any questions please contact prosupport@gotenna.com. goTenna recommends users follow their secure operating best practices https://support.gotennapro.com/s/article/Secure-Operating

Exploits
Credits
finder
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04
government-resource
Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04
Resource:
government-resource
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
gotenna
Product
pro_app
CPEs
  • cpe:2.3:a:gotenna:pro_app:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 0 through 1.61 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found