The goTenna Pro App does not authenticate public keys which allows an
unauthenticated attacker to manipulate messages. It is advised to update
your app to the current release for enhanced encryption protocols.
Fixes

Solution

goTenna recommends that users mitigate these vulnerabilities by performing the following updates: * Android Pro: v2.0.3 or greater * iOS Pro: v2.0.3 or greater


Workaround

goTenna recommends that users follow these mitigations: General Mitigations for All Users/Clients * Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team. * Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates. * Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security. Pro-Specific Mitigations * Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys. * Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure. * Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams. If you have any questions please contact prosupport@gotenna.com . goTenna recommends users follow their secure operating best practices https://support.gotennapro.com/s/article/Secure-Operating

History

Thu, 17 Oct 2024 17:45:00 +0000

Type Values Removed Values Added
Description The goTenna Pro series does not authenticate public keys which allows an unauthenticated attacker to intercept and manipulate messages. The goTenna Pro App does not authenticate public keys which allows an unauthenticated attacker to manipulate messages. It is advised to update your app to the current release for enhanced encryption protocols.
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Mon, 07 Oct 2024 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:*:*:* cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:android:*:*
cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:iphone_os:*:*

Fri, 04 Oct 2024 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Gotenna gotenna Pro
Weaknesses CWE-287
CPEs cpe:2.3:a:gotenna:gotenna_pro:*:*:*:*:*:*:*:*
Vendors & Products Gotenna gotenna Pro
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


Thu, 26 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Gotenna
Gotenna pro App
CPEs cpe:2.3:a:gotenna:pro_app:*:*:*:*:*:*:*:*
Vendors & Products Gotenna
Gotenna pro App
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 26 Sep 2024 17:30:00 +0000

Type Values Removed Values Added
Description The goTenna Pro series does not authenticate public keys which allows an unauthenticated attacker to intercept and manipulate messages.
Title Improper Restriction of Communication Channel to Intended Endpoints in goTenna Pro
Weaknesses CWE-923
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2024-10-17T17:30:55.944Z

Reserved: 2024-09-18T21:32:27.325Z

Link: CVE-2024-47125

cve-icon Vulnrichment

Updated: 2024-09-26T18:27:52.937Z

cve-icon NVD

Status : Modified

Published: 2024-09-26T18:15:09.430

Modified: 2024-10-17T18:15:06.123

Link: CVE-2024-47125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.