{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45838", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-09-24T14:22:20.114Z", "datePublished": "2024-09-26T17:31:45.575Z", "dateUpdated": "2024-10-17T16:54:51.865Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pro ATAK Plugin", "vendor": "goTenna", "versions": [{"lessThanOrEqual": "1.9.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."}], "datePublic": "2024-09-26T13:19:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It \nis advised to not use sensitive information in callsigns when using this\n and previous versions of the plugin. Update to current plugin version \nwhich uses AES-256 encryption for callsigns in encrypted operation"}], "value": "The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It \nis advised to not use sensitive information in callsigns when using this\n and previous versions of the plugin. Update to current plugin version \nwhich uses AES-256 encryption for callsigns in encrypted operation"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 2.3, "baseSeverity": "LOW", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-10-17T16:54:51.865Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p>\n<p>goTenna recommends that users mitigate these vulnerabilities by performing the following updates:</p>\n<ul>\n<li>ATAK Plugin: v2.0.7 or greater</li>\n</ul><br>"}], "value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n * ATAK Plugin: v2.0.7 or greater"}], "source": {"advisory": "ICSA-24-270-05", "discovery": "EXTERNAL"}, "title": "goTenna Pro ATAK Plugin Cleartext Transmission of Sensitive Information", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>goTenna recommends that users follow these mitigations:</p>\n<p>General Mitigations for All Users/Clients</p>\n<ul>\n<li>Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.</li>\n<li>Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.</li>\n<li>Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.</li>\n</ul>\n<p>Pro-Specific Mitigations</p>\n<ul>\n<li>Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.</li>\n<li>Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.</li>\n<li>Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.</li>\n</ul>\n<p>If you have any questions please contact <a target=\"_blank\" rel=\"nofollow\">prosupport@gotenna.com</a></p>goTenna recommends that users Follow their secure operating <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.gotennapro.com/s/article/Secure-Operating\">best practices</a>."}], "value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n * Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n * Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n * Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n * Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n * Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact best practices https://support.gotennapro.com/s/article/Secure-Operating ."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "gotenna", "product": "pro_atak_plugin", "cpes": ["cpe:2.3:a:gotenna:pro_atak_plugin:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.12", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T18:05:22.538965Z", "id": "CVE-2024-45838", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T18:06:06.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T18:05:22.538965Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gotenna:pro_atak_plugin:*:*:*:*:*:*:*:*"], "vendor": "gotenna", "product": "pro_atak_plugin", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.12"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T18:05:51.099Z"}}], "cna": {"title": "goTenna Pro ATAK Plugin Cleartext Transmission of Sensitive Information", "source": {"advisory": "ICSA-24-270-05", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "goTenna", "product": "Pro ATAK Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.12"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n * ATAK Plugin: v2.0.7 or greater", "supportingMedia": [{"type": "text/html", "value": "<p></p>\n<p>goTenna recommends that users mitigate these vulnerabilities by performing the following updates:</p>\n<ul>\n<li>ATAK Plugin: v2.0.7 or greater</li>\n</ul><br>", "base64": false}]}], "datePublic": "2024-09-26T13:19:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05", "tags": ["government-resource"]}], "workarounds": [{"lang": "en", "value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n * Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n * Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n * Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n * Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n * Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact best practices https://support.gotennapro.com/s/article/Secure-Operating .", "supportingMedia": [{"type": "text/html", "value": "<p>goTenna recommends that users follow these mitigations:</p>\n<p>General Mitigations for All Users/Clients</p>\n<ul>\n<li>Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.</li>\n<li>Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.</li>\n<li>Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.</li>\n</ul>\n<p>Pro-Specific Mitigations</p>\n<ul>\n<li>Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.</li>\n<li>Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.</li>\n<li>Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.</li>\n</ul>\n<p>If you have any questions please contact <a target=\"_blank\" rel=\"nofollow\">prosupport@gotenna.com</a></p>goTenna recommends that users Follow their secure operating <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.gotennapro.com/s/article/Secure-Operating\">best practices</a>.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It \nis advised to not use sensitive information in callsigns when using this\n and previous versions of the plugin. Update to current plugin version \nwhich uses AES-256 encryption for callsigns in encrypted operation", "supportingMedia": [{"type": "text/html", "value": "The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It \nis advised to not use sensitive information in callsigns when using this\n and previous versions of the plugin. Update to current plugin version \nwhich uses AES-256 encryption for callsigns in encrypted operation", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-10-17T16:54:51.865Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45838", "state": "PUBLISHED", "dateUpdated": "2024-10-17T16:54:51.865Z", "dateReserved": "2024-09-24T14:22:20.114Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-09-26T17:31:45.575Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gotenna:gotenna:*:*:*:*:*:atak:*:*", "matchCriteriaId": "911C90A4-A8B6-4263-8BC8-066B33EDA943", "versionEndExcluding": "2.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It \nis advised to not use sensitive information in callsigns when using this\n and previous versions of the plugin. Update to current plugin version \nwhich uses AES-256 encryption for callsigns in encrypted operation"}, {"lang": "es", "value": "El complemento ATAK de goTenna Pro no cifra los indicativos de sus usuarios. Estos indicativos revelan informaci\u00f3n sobre los usuarios y tambi\u00e9n pueden aprovecharse para otras vulnerabilidades."}], "id": "CVE-2024-45838", "lastModified": "2024-10-17T17:15:12.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "NONE"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-09-26T18:15:08.170", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}