SB2024093086 - Multiple vulnerabilities in goTenna Pro App

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Weak password requirements (CVE-ID: CVE-2024-47121)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to weak password requirements for the QR broadcast message. A remote attacker on the local network can decrypt the QR broadcast message and use it to decrypt all future and past messages sent via encrypted broadcast.

2) Insecure Storage of Sensitive Information (CVE-ID: CVE-2024-47122)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to the encryption keys are stored along with a static IV on the device. An attacker with physical access can decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys.

3) Missing support for integrity check (CVE-ID: CVE-2024-47123)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application uses AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. A remote attacker on the local network can access the messages and cause them to be malleable.

4) Cleartext transmission of sensitive information (CVE-ID: CVE-2024-47124)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the affected pplication does not encrypt the callsigns of its users. A remote attacker with ability to intercept network traffic can reveal information about the users.

5) Improper restriction of communication channel to intended endpoints (CVE-ID: CVE-2024-47125)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application does not authenticate public keys. A remote attacker on the local network can intercept and manipulate messages.

6) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2024-47126)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected application does not use SecureRandom when generating its cryptographic keys. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.

7) Observable Response Discrepancy (CVE-ID: CVE-2024-47129)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the observable response discrepancy issue. A remote attacker on the local network can tell the length of the payload regardless of the encryption used.

8) Missing Authentication for Critical Function (CVE-ID: CVE-2024-47130)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to missing authentication for critical function. A remote attacker on the local network can update the local public keys used for P2P and Group messages.

9) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2024-47128)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the broadcast key name is always sent unencrypted and can reveal the location of operation. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.

10) Improper Authentication (CVE-ID: CVE-2024-47127)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a weak authentication mechanism. A remote attacker on the local network can inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks.

Remediation

Install update from vendor's website.

References

• https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04