SB2024100140 - Multiple vulnerabilities in goTenna ATAK Plugin

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Weak password requirements (CVE-ID: CVE-2024-45374)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to weak password requirements for the QR broadcast message. A remote attacker on the local network can decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

2) Insecure Storage of Sensitive Information (CVE-ID: CVE-2024-43694)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to the encryption keys are stored along with a static IV on the device. An authenticated attacker with physical access can decrypt all encrypted broadcast communications based on broadcast keys stored on the device.

3) Missing support for integrity check (CVE-ID: CVE-2024-43108)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application uses AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. A remote attacker on the local network can access the messages and cause them to be malleable.

4) Cleartext transmission of sensitive information (CVE-ID: CVE-2024-45838)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the affected pplication does not encrypt the callsigns of its users. A remote attacker with ability to intercept network traffic can reveal information about the users.

5) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2024-45723)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected application does not use SecureRandom when generating its cryptographic keys. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.

6) Improper Authentication (CVE-ID: CVE-2024-41722)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a weak authentication mechanism. A remote attacker on the local network can inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks.

7) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2024-41931)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the broadcast key name is always sent unencrypted and can reveal the location of operation. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.

8) Observable Response Discrepancy (CVE-ID: CVE-2024-41715)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the observable response discrepancy issue. A remote attacker on the local network can tell the length of the payload regardless of the encryption used.

9) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2024-43814)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin by default enables frequent unencrypted Position, Location and Information (PLI) transmission. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05