CVE-2022-24401 (GCVE-0-2022-24401)

Vulnerability from cvelistv5 – Published: 2023-10-19 09:32 – Updated: 2024-08-03 04:13
VLAI?
Summary
Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.
Severity ?
8.8 (High)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H
CWE
  • CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
Impacted products
Vendor Product Version
ETSI TETRA Standard Affected: all
Create a notification for this product.
Credits
Midnight Blue
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:13:55.205Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "TETRA:BURST",
            "tags": [
              "related",
              "x_transferred"
            ],
            "url": "https://tetraburst.com/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "TETRA Standard",
          "vendor": "ETSI",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Midnight Blue"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-323",
              "description": "Reusing a Nonce, Key Pair in Encryption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-15T00:27:54.327174Z",
        "orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
        "shortName": "NCSC-NL"
      },
      "references": [
        {
          "name": "TETRA:BURST",
          "tags": [
            "related"
          ],
          "url": "https://tetraburst.com/"
        }
      ],
      "title": "Keystream recovery for arbitrary frames in TETRA"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
    "assignerShortName": "NCSC-NL",
    "cveId": "CVE-2022-24401",
    "datePublished": "2023-10-19T09:32:53.702Z",
    "dateReserved": "2022-02-04T04:43:09.526Z",
    "dateUpdated": "2024-08-03T04:13:55.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:midnightblue:tetra\\\\:burst:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E47ED5D3-E6C3-419A-9A3B-9F20863B9FDA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.\"}, {\"lang\": \"es\", \"value\": \"Reutilizaci\\u00f3n del flujo de claves inducida por el adversario en el tr\\u00e1fico cifrado de interfaz a\\u00e9rea TETRA utilizando cualquier generador de flujo de claves TEA. La generaci\\u00f3n IV se basa en varios contadores de frame TDMA, que frecuentemente la infraestructura transmite sin autenticaci\\u00f3n. Un adversario activo puede manipular la vista de estos contadores en una estaci\\u00f3n m\\u00f3vil, provocando la reutilizaci\\u00f3n del flujo de claves. Al enviar mensajes manipulados al MS y analizar las respuestas del MS, se puede recuperar el flujo de claves de frames arbitrarios.\"}]",
      "id": "CVE-2022-24401",
      "lastModified": "2024-11-21T06:50:20.597",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cert@ncsc.nl\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
      "published": "2023-10-19T10:15:09.510",
      "references": "[{\"url\": \"https://tetraburst.com/\", \"source\": \"cert@ncsc.nl\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://tetraburst.com/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cert@ncsc.nl",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cert@ncsc.nl\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-323\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24401\",\"sourceIdentifier\":\"cert@ncsc.nl\",\"published\":\"2023-10-19T10:15:09.510\",\"lastModified\":\"2024-11-21T06:50:20.597\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.\"},{\"lang\":\"es\",\"value\":\"Reutilizaci\u00f3n del flujo de claves inducida por el adversario en el tr\u00e1fico cifrado de interfaz a\u00e9rea TETRA utilizando cualquier generador de flujo de claves TEA. La generaci\u00f3n IV se basa en varios contadores de frame TDMA, que frecuentemente la infraestructura transmite sin autenticaci\u00f3n. Un adversario activo puede manipular la vista de estos contadores en una estaci\u00f3n m\u00f3vil, provocando la reutilizaci\u00f3n del flujo de claves. Al enviar mensajes manipulados al MS y analizar las respuestas del MS, se puede recuperar el flujo de claves de frames arbitrarios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cert@ncsc.nl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"cert@ncsc.nl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-323\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:midnightblue:tetra\\\\:burst:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E47ED5D3-E6C3-419A-9A3B-9F20863B9FDA\"}]}]}],\"references\":[{\"url\":\"https://tetraburst.com/\",\"source\":\"cert@ncsc.nl\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://tetraburst.com/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.