goTenna Pro X and Pro X2

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Low attack complexity
  • Vendor: goTenna
  • Equipment: Pro series
  • Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Improper Restriction of Communication Channel to Intended Endpoints, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro series, mesh networking device, are affected:

  • goTenna Pro App: versions 1.6.1 and prior

3.2 Vulnerability Overview

3.2.1 Weak Password Requirements CWE-521

The goTenna Pro series uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

CVE-2024-47121 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47121. A base score of 6.0 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories

Read the original article:

goTenna Pro X and Pro X2