goTenna Pro ATAK Plugin

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.1
  • ATTENTION: Low attack complexity
  • Vendor: goTenna
  • Equipment: Pro ATAK Plugin
  • Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Insertion of Sensitive Information Into Sent Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro ATAK Plugin, a mesh networking device, are affected:

  • goTenna Pro ATAK Plugin: Versions 1.9.12 and prior

3.2 Vulnerability Overview

3.2.1 Weak Password Requirements CWE-521

The goTenna Pro ATAK Plugin uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

CVE-2024-45374 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45374. A base score of 6.0 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories

Read the original article:

goTenna Pro ATAK Plugin