CVE-2024-47128 (GCVE-0-2024-47128)

Vulnerability from cvelistv5 – Published: 2024-09-26 17:28 – Updated: 2024-10-17 17:37
VLAI?
Title
Insertion of Sensitive Information Into Sent Data in goTenna Pro
Summary
The goTenna Pro App encryption key name is always sent unencrypted when the key is shared over RF through a broadcast message. It is advised to share the encryption key via local QR for higher security operations.
Severity ?
5.3 (Medium)
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
4.3 (Medium)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
Impacted products
Vendor Product Version
goTenna Pro Affected: 0 , ≤ 1.61 (custom)
Create a notification for this product.
Credits
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:gotenna:pro_app:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "pro_app",
            "vendor": "gotenna",
            "versions": [
              {
                "lessThanOrEqual": "1.61",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47128",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T18:22:27.877983Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T18:23:06.170Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pro",
          "vendor": "goTenna",
          "versions": [
            {
              "lessThanOrEqual": "1.61",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nThe goTenna Pro App encryption key name is always sent unencrypted when \nthe key is shared over RF through a broadcast message. It is advised to \nshare the encryption key via local QR for higher security operations.\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
            }
          ],
          "value": "The goTenna Pro App encryption key name is always sent unencrypted when \nthe key is shared over RF through a broadcast message. It is advised to \nshare the encryption key via local QR for higher security operations."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-17T17:37:51.475Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003egoTenna recommends that users mitigate these vulnerabilities by performing the following updates:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAndroid Pro: v2.0.3 or greater\u003c/li\u003e\n\u003cli\u003eiOS Pro: v2.0.3 or greater\u003c/li\u003e\n\u003c/ul\u003e"
            }
          ],
          "value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n  *  Android Pro: v2.0.3 or greater\n\n  *  iOS Pro: v2.0.3 or greater"
        }
      ],
      "source": {
        "advisory": "ICSA-24-270-04",
        "discovery": "EXTERNAL"
      },
      "title": "Insertion of Sensitive Information Into Sent Data in goTenna Pro",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003egoTenna recommends that users follow these mitigations:\u003c/p\u003e\n\u003cp\u003eGeneral Mitigations for All Users/Clients\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\u003c/li\u003e\n\u003cli\u003eSecure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\u003c/li\u003e\n\u003cli\u003eFollow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ePro-Specific Mitigations\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eShare Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\u003c/li\u003e\n\u003cli\u003eSecure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\u003c/li\u003e\n\u003cli\u003eLeverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you have any questions please contact \u003ca target=\"_blank\" rel=\"nofollow\"\u003eprosupport@gotenna.com\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003egoTenna recommends users follow their secure operating \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.gotennapro.com/s/article/Secure-Operating\"\u003ebest practices\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n  *  Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n  *  Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n  *  Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n  *  Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n  *  Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n  *  Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact prosupport@gotenna.com.\n\n\ngoTenna recommends users follow their secure operating  best practices https://support.gotennapro.com/s/article/Secure-Operating"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-47128",
    "datePublished": "2024-09-26T17:28:32.604Z",
    "dateReserved": "2024-09-18T21:32:27.325Z",
    "dateUpdated": "2024-10-17T17:37:51.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:iphone_os:*:*\", \"versionEndIncluding\": \"1.6.1\", \"matchCriteriaId\": \"82A99D81-2393-4C97-BF3A-18C373E586AB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:android:*:*\", \"versionEndExcluding\": \"2.0.3\", \"matchCriteriaId\": \"4EB02402-526B-42AA-8A5F-0A0D99B432E1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The goTenna Pro App encryption key name is always sent unencrypted when \\nthe key is shared over RF through a broadcast message. It is advised to \\nshare the encryption key via local QR for higher security operations.\"}, {\"lang\": \"es\", \"value\": \"El nombre de la clave de transmisi\\u00f3n de goTenna Pro siempre se env\\u00eda sin cifrar y podr\\u00eda revelar la ubicaci\\u00f3n de la operaci\\u00f3n.\"}]",
      "id": "CVE-2024-47128",
      "lastModified": "2024-10-17T18:15:06.727",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"LOW\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}], \"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-09-26T18:15:09.783",
      "references": "[{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-201\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47128\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2024-09-26T18:15:09.783\",\"lastModified\":\"2024-10-17T18:15:06.727\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The goTenna Pro App encryption key name is always sent unencrypted when \\nthe key is shared over RF through a broadcast message. It is advised to \\nshare the encryption key via local QR for higher security operations.\"},{\"lang\":\"es\",\"value\":\"El nombre de la clave de transmisi\u00f3n de goTenna Pro siempre se env\u00eda sin cifrar y podr\u00eda revelar la ubicaci\u00f3n de la operaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:iphone_os:*:*\",\"versionEndIncluding\":\"1.6.1\",\"matchCriteriaId\":\"82A99D81-2393-4C97-BF3A-18C373E586AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"2.0.3\",\"matchCriteriaId\":\"4EB02402-526B-42AA-8A5F-0A0D99B432E1\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47128\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-26T18:22:27.877983Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:gotenna:pro_app:*:*:*:*:*:*:*:*\"], \"vendor\": \"gotenna\", \"product\": \"pro_app\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.61\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-26T18:22:56.395Z\"}}], \"cna\": {\"title\": \"Insertion of Sensitive Information Into Sent Data in goTenna Pro\", \"source\": {\"advisory\": \"ICSA-24-270-04\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"goTenna\", \"product\": \"Pro\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.61\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\\n\\n\\n\\n  *  Android Pro: v2.0.3 or greater\\n\\n  *  iOS Pro: v2.0.3 or greater\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003egoTenna recommends that users mitigate these vulnerabilities by performing the following updates:\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003eAndroid Pro: v2.0.3 or greater\u003c/li\u003e\\n\u003cli\u003eiOS Pro: v2.0.3 or greater\u003c/li\u003e\\n\u003c/ul\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04\", \"tags\": [\"government-resource\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"goTenna recommends that users follow these mitigations:\\n\\n\\nGeneral Mitigations for All Users/Clients\\n\\n\\n\\n  *  Use Discreet Callsigns and Key Names: Choose callsigns and key names\\n that do not disclose sensitive information, such as your location, team\\n size, or team name. Avoid using any identifiers that could \\ninadvertently reveal your location or the composition of your team.\\n\\n  *  Secure End-User Devices: Implement strong security measures on all \\nend-user devices, including the use of encryption and ensuring regular \\nsoftware updates.\\n\\n  *  Follow Key Rotation Best Practices: Regularly rotate encryption keys\\n according to industry best practices to maintain ongoing security.\\n\\n\\n\\n\\nPro-Specific Mitigations\\n\\n\\n\\n  *  Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\\n\\n  *  Secure Broadcasting: When broadcasting, ensure you are in a secured \\narea and transmit the key at a reduced power of 0.5 Watts to limit \\nexposure.\\n\\n  *  Leverage Layered Encryption: Implement layered encryption keys to \\nsecurely manage communications, whether interacting with individuals or \\nteams.\\n\\n\\n\\n\\nIf you have any questions please contact prosupport@gotenna.com.\\n\\n\\ngoTenna recommends users follow their secure operating  best practices https://support.gotennapro.com/s/article/Secure-Operating\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003egoTenna recommends that users follow these mitigations:\u003c/p\u003e\\n\u003cp\u003eGeneral Mitigations for All Users/Clients\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003eUse Discreet Callsigns and Key Names: Choose callsigns and key names\\n that do not disclose sensitive information, such as your location, team\\n size, or team name. Avoid using any identifiers that could \\ninadvertently reveal your location or the composition of your team.\u003c/li\u003e\\n\u003cli\u003eSecure End-User Devices: Implement strong security measures on all \\nend-user devices, including the use of encryption and ensuring regular \\nsoftware updates.\u003c/li\u003e\\n\u003cli\u003eFollow Key Rotation Best Practices: Regularly rotate encryption keys\\n according to industry best practices to maintain ongoing security.\u003c/li\u003e\\n\u003c/ul\u003e\\n\u003cp\u003ePro-Specific Mitigations\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003eShare Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\u003c/li\u003e\\n\u003cli\u003eSecure Broadcasting: When broadcasting, ensure you are in a secured \\narea and transmit the key at a reduced power of 0.5 Watts to limit \\nexposure.\u003c/li\u003e\\n\u003cli\u003eLeverage Layered Encryption: Implement layered encryption keys to \\nsecurely manage communications, whether interacting with individuals or \\nteams.\u003c/li\u003e\\n\u003c/ul\u003e\\n\u003cp\u003eIf you have any questions please contact \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\"\u003eprosupport@gotenna.com\u003c/a\u003e.\u003c/p\u003e\\n\u003cp\u003egoTenna recommends users follow their secure operating \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://support.gotennapro.com/s/article/Secure-Operating\\\"\u003ebest practices\u003c/a\u003e\u003c/p\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The goTenna Pro App encryption key name is always sent unencrypted when \\nthe key is shared over RF through a broadcast message. It is advised to \\nshare the encryption key via local QR for higher security operations.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\nThe goTenna Pro App encryption key name is always sent unencrypted when \\nthe key is shared over RF through a broadcast message. It is advised to \\nshare the encryption key via local QR for higher security operations.\\n\\n\u003c/span\u003e\\n\\n\u003c/span\u003e\\n\\n\u003c/span\u003e\\n\\n\u003c/span\u003e\\n\\n\u003c/span\u003e\\n\\n\u003c/span\u003e\\n\\n\u003c/span\u003e\\n\\n\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-201\", \"description\": \"CWE-201 Insertion of Sensitive Information Into Sent Data\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2024-10-17T17:37:51.475Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47128\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-17T17:37:51.475Z\", \"dateReserved\": \"2024-09-18T21:32:27.325Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2024-09-26T17:28:32.604Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.