CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45838 – goTenna Pro ATAK Plugin Cleartext Transmission of Sensitive Information
https://notcve.org/view.php?id=CVE-2024-45838
The goTenna Pro ATAK Plugin does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities. The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It is advised to not use sensitive information in callsigns when using this and previous versions of the plugin. Update to current plugin version which uses AES-256 encryption for callsigns in encrypted operation • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43108 – goTenna Pro ATAK Plugin Missing Support for Integrity Check
https://notcve.org/view.php?id=CVE-2024-43108
The goTenna Pro ATAK Plugin use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message. The goTenna Pro ATAK Plugin uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is advised to continue to use encryption in the plugin and update to the current release for enhanced encryption protocols. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05 • CWE-353: Missing Support for Integrity Check •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43694 – goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information
https://notcve.org/view.php?id=CVE-2024-43694
In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45374 – goTenna Pro ATAK Plugin Weak Password Requirements
https://notcve.org/view.php?id=CVE-2024-45374
In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device. The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05 • CWE-521: Weak Password Requirements •