CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47123 – Missing Support for Integrity Check in goTenna Pro
https://notcve.org/view.php?id=CVE-2024-47123
The goTenna Pro series use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message. The goTenna Pro App uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is recommended to continue to use encryption in the app and update to the current release for more secure operations. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04 • CWE-353: Missing Support for Integrity Check •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47122 – Insecure Storage of Sensitive Information in goTenna Pro
https://notcve.org/view.php?id=CVE-2024-47122
In the goTenna Pro application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys. In the goTenna Pro App, the encryption keys are stored along with a static IV on the End User Device (EUD). This allows for complete decryption of keys stored on the EUD if physically compromised. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47121 – Weak Passwords Requirements in goTenna Pro
https://notcve.org/view.php?id=CVE-2024-47121
The goTenna Pro series uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast. The goTenna Pro App uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04 • CWE-521: Weak Password Requirements •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45374 – goTenna Pro ATAK Plugin Weak Password Requirements
https://notcve.org/view.php?id=CVE-2024-45374
In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device. The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05 • CWE-521: Weak Password Requirements •