Search criteria
6 vulnerabilities found for atak_plugin by gotenna
FKIE_CVE-2024-43694
Vulnerability from fkie_nvd - Published: 2024-09-26 18:15 - Updated: 2024-10-07 19:40
Severity ?
4.3 (Medium) - CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
In the goTenna Pro ATAK Plugin application, the encryption keys are
stored along with a static IV on the device. This allows for complete
decryption of keys stored on the device. This allows an attacker to
decrypt all encrypted broadcast communications based on broadcast keys
stored on the device.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gotenna | atak_plugin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gotenna:atak_plugin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0339DE99-2478-48B6-9664-CB8847C5EE47",
"versionEndExcluding": "2.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device."
},
{
"lang": "es",
"value": "En la aplicaci\u00f3n del complemento ATAK de goTenna Pro, las claves de cifrado se almacenan junto con un IV est\u00e1tico en el dispositivo. Esto permite el descifrado completo de las claves almacenadas en el dispositivo. Esto permite que un atacante descifre todas las comunicaciones de transmisi\u00f3n cifradas en funci\u00f3n de las claves de transmisi\u00f3n almacenadas en el dispositivo."
}
],
"id": "CVE-2024-43694",
"lastModified": "2024-10-07T19:40:04.147",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 3.6,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2024-09-26T18:15:06.960",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-41715
Vulnerability from fkie_nvd - Published: 2024-09-26 18:15 - Updated: 2024-10-17 17:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The goTenna Pro ATAK Plugin does not inject extra characters into
broadcasted frames to obfuscate the length of messages. This makes it
possible to tell the length of the payload regardless of the encryption
used.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gotenna | atak_plugin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gotenna:atak_plugin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0339DE99-2478-48B6-9664-CB8847C5EE47",
"versionEndExcluding": "2.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The goTenna Pro ATAK Plugin does not inject extra characters into \nbroadcasted frames to obfuscate the length of messages. This makes it \npossible to tell the length of the payload regardless of the encryption \nused."
},
{
"lang": "es",
"value": "El complemento ATAK de goTenna Pro tiene una vulnerabilidad de longitud de payload que permite saber la longitud de el payload independientemente del cifrado utilizado."
}
],
"id": "CVE-2024-41715",
"lastModified": "2024-10-17T17:15:11.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2024-09-26T18:15:05.950",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-204"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-41715 (GCVE-0-2024-41715)
Vulnerability from cvelistv5 – Published: 2024-09-26 17:46 – Updated: 2024-10-17 17:03
VLAI?
Title
goTenna Pro ATAK Plugin Observable Response Discrepancy
Summary
The goTenna Pro ATAK Plugin does not inject extra characters into
broadcasted frames to obfuscate the length of messages. This makes it
possible to tell the length of the payload regardless of the encryption
used.
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goTenna | Pro ATAK Plugin |
Affected:
0 , ≤ 1.9.12
(custom)
|
Credits
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T18:19:18.583296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:21:36.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pro ATAK Plugin",
"vendor": "goTenna",
"versions": [
{
"lessThanOrEqual": "1.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."
}
],
"datePublic": "2024-09-26T13:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The goTenna Pro ATAK Plugin does not inject extra characters into \nbroadcasted frames to obfuscate the length of messages. This makes it \npossible to tell the length of the payload regardless of the encryption \nused."
}
],
"value": "The goTenna Pro ATAK Plugin does not inject extra characters into \nbroadcasted frames to obfuscate the length of messages. This makes it \npossible to tell the length of the payload regardless of the encryption \nused."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:03:47.283Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003egoTenna recommends that users mitigate these vulnerabilities by performing the following updates:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eATAK Plugin: v2.0.7 or greater\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n * ATAK Plugin: v2.0.7 or greater"
}
],
"source": {
"advisory": "ICSA-24-270-05",
"discovery": "EXTERNAL"
},
"title": "goTenna Pro ATAK Plugin Observable Response Discrepancy",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003egoTenna recommends that users follow these mitigations:\u003c/p\u003e\n\u003cp\u003eGeneral Mitigations for All Users/Clients\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\u003c/li\u003e\n\u003cli\u003eSecure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\u003c/li\u003e\n\u003cli\u003eFollow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ePro-Specific Mitigations\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eShare Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\u003c/li\u003e\n\u003cli\u003eSecure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\u003c/li\u003e\n\u003cli\u003eLeverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you have any questions please contact \u003ca target=\"_blank\" rel=\"nofollow\"\u003eprosupport@gotenna.com\u003c/a\u003e\u003c/p\u003egoTenna recommends that users Follow their secure operating \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.gotennapro.com/s/article/Secure-Operating\"\u003ebest practices\u003c/a\u003e."
}
],
"value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n * Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n * Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n * Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n * Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n * Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact best practices https://support.gotennapro.com/s/article/Secure-Operating ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-41715",
"datePublished": "2024-09-26T17:46:05.011Z",
"dateReserved": "2024-09-24T14:22:20.149Z",
"dateUpdated": "2024-10-17T17:03:47.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43694 (GCVE-0-2024-43694)
Vulnerability from cvelistv5 – Published: 2024-09-26 17:25 – Updated: 2024-09-26 18:26
VLAI?
Title
goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information
Summary
In the goTenna Pro ATAK Plugin application, the encryption keys are
stored along with a static IV on the device. This allows for complete
decryption of keys stored on the device. This allows an attacker to
decrypt all encrypted broadcast communications based on broadcast keys
stored on the device.
Severity ?
4.3 (Medium)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goTenna | Pro ATAK Plugin |
Affected:
0 , ≤ 1.9.12
(custom)
|
Credits
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gotenna:pro_atak_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pro_atak_plugin",
"vendor": "gotenna",
"versions": [
{
"lessThanOrEqual": "1.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T18:26:28.219215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:26:54.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pro ATAK Plugin",
"vendor": "goTenna",
"versions": [
{
"lessThanOrEqual": "1.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."
}
],
"datePublic": "2024-09-26T13:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device."
}
],
"value": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:25:52.840Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\n\u003cp\u003egoTenna recommends that users mitigate these vulnerabilities by performing the following updates:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eATAK Plugin: v2.0.7 or greater\u003c/li\u003e\n\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n * ATAK Plugin: v2.0.7 or greater"
}
],
"source": {
"advisory": "ICSA-24-270-05",
"discovery": "EXTERNAL"
},
"title": "goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\n\u003cp\u003egoTenna recommends that users follow these mitigations:\u003c/p\u003e\n\u003cp\u003eGeneral Mitigations for All Users/Clients\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\u003c/li\u003e\n\u003cli\u003eSecure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\u003c/li\u003e\n\u003cli\u003eFollow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ePro-Specific Mitigations\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eShare Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\u003c/li\u003e\n\u003cli\u003eSecure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\u003c/li\u003e\n\u003cli\u003eLeverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you have any questions please contact \u003ca target=\"_blank\" rel=\"nofollow\"\u003eprosupport@gotenna.com\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n * Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n * Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n * Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n * Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n * Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact prosupport@gotenna.com"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-43694",
"datePublished": "2024-09-26T17:25:52.840Z",
"dateReserved": "2024-09-24T14:22:20.080Z",
"dateUpdated": "2024-09-26T18:26:54.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41715 (GCVE-0-2024-41715)
Vulnerability from nvd – Published: 2024-09-26 17:46 – Updated: 2024-10-17 17:03
VLAI?
Title
goTenna Pro ATAK Plugin Observable Response Discrepancy
Summary
The goTenna Pro ATAK Plugin does not inject extra characters into
broadcasted frames to obfuscate the length of messages. This makes it
possible to tell the length of the payload regardless of the encryption
used.
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goTenna | Pro ATAK Plugin |
Affected:
0 , ≤ 1.9.12
(custom)
|
Credits
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T18:19:18.583296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:21:36.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pro ATAK Plugin",
"vendor": "goTenna",
"versions": [
{
"lessThanOrEqual": "1.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."
}
],
"datePublic": "2024-09-26T13:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The goTenna Pro ATAK Plugin does not inject extra characters into \nbroadcasted frames to obfuscate the length of messages. This makes it \npossible to tell the length of the payload regardless of the encryption \nused."
}
],
"value": "The goTenna Pro ATAK Plugin does not inject extra characters into \nbroadcasted frames to obfuscate the length of messages. This makes it \npossible to tell the length of the payload regardless of the encryption \nused."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T17:03:47.283Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003egoTenna recommends that users mitigate these vulnerabilities by performing the following updates:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eATAK Plugin: v2.0.7 or greater\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n * ATAK Plugin: v2.0.7 or greater"
}
],
"source": {
"advisory": "ICSA-24-270-05",
"discovery": "EXTERNAL"
},
"title": "goTenna Pro ATAK Plugin Observable Response Discrepancy",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003egoTenna recommends that users follow these mitigations:\u003c/p\u003e\n\u003cp\u003eGeneral Mitigations for All Users/Clients\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\u003c/li\u003e\n\u003cli\u003eSecure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\u003c/li\u003e\n\u003cli\u003eFollow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ePro-Specific Mitigations\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eShare Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\u003c/li\u003e\n\u003cli\u003eSecure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\u003c/li\u003e\n\u003cli\u003eLeverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you have any questions please contact \u003ca target=\"_blank\" rel=\"nofollow\"\u003eprosupport@gotenna.com\u003c/a\u003e\u003c/p\u003egoTenna recommends that users Follow their secure operating \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.gotennapro.com/s/article/Secure-Operating\"\u003ebest practices\u003c/a\u003e."
}
],
"value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n * Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n * Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n * Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n * Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n * Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact best practices https://support.gotennapro.com/s/article/Secure-Operating ."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-41715",
"datePublished": "2024-09-26T17:46:05.011Z",
"dateReserved": "2024-09-24T14:22:20.149Z",
"dateUpdated": "2024-10-17T17:03:47.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43694 (GCVE-0-2024-43694)
Vulnerability from nvd – Published: 2024-09-26 17:25 – Updated: 2024-09-26 18:26
VLAI?
Title
goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information
Summary
In the goTenna Pro ATAK Plugin application, the encryption keys are
stored along with a static IV on the device. This allows for complete
decryption of keys stored on the device. This allows an attacker to
decrypt all encrypted broadcast communications based on broadcast keys
stored on the device.
Severity ?
4.3 (Medium)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| goTenna | Pro ATAK Plugin |
Affected:
0 , ≤ 1.9.12
(custom)
|
Credits
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gotenna:pro_atak_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pro_atak_plugin",
"vendor": "gotenna",
"versions": [
{
"lessThanOrEqual": "1.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T18:26:28.219215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:26:54.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pro ATAK Plugin",
"vendor": "goTenna",
"versions": [
{
"lessThanOrEqual": "1.9.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."
}
],
"datePublic": "2024-09-26T13:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device."
}
],
"value": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:25:52.840Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\n\u003cp\u003egoTenna recommends that users mitigate these vulnerabilities by performing the following updates:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eATAK Plugin: v2.0.7 or greater\u003c/li\u003e\n\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n * ATAK Plugin: v2.0.7 or greater"
}
],
"source": {
"advisory": "ICSA-24-270-05",
"discovery": "EXTERNAL"
},
"title": "goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\n\u003cp\u003egoTenna recommends that users follow these mitigations:\u003c/p\u003e\n\u003cp\u003eGeneral Mitigations for All Users/Clients\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\u003c/li\u003e\n\u003cli\u003eSecure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\u003c/li\u003e\n\u003cli\u003eFollow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ePro-Specific Mitigations\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eShare Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\u003c/li\u003e\n\u003cli\u003eSecure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\u003c/li\u003e\n\u003cli\u003eLeverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you have any questions please contact \u003ca target=\"_blank\" rel=\"nofollow\"\u003eprosupport@gotenna.com\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n * Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n * Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n * Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n * Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n * Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact prosupport@gotenna.com"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-43694",
"datePublished": "2024-09-26T17:25:52.840Z",
"dateReserved": "2024-09-24T14:22:20.080Z",
"dateUpdated": "2024-09-26T18:26:54.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}