{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T18:31:26.019721Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T18:31:39.315Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pro ATAK Plugin",
          "vendor": "goTenna",
          "versions": [
            {
              "lessThanOrEqual": "1.9.12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2024-09-26T13:19:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In the goTenna Pro ATAK Plugin there is a vulnerability that makes it \npossible to inject any custom message with any GID and Callsign using a \nsoftware defined radio in existing goTenna mesh networks. This \nvulnerability can be exploited if the device is being used in an \nunencrypted environment or if the cryptography has already been \ncompromised. It is advised to use encryption shared with local QR code \nfor higher security operations."
            }
          ],
          "value": "In the goTenna Pro ATAK Plugin there is a vulnerability that makes it \npossible to inject any custom message with any GID and Callsign using a \nsoftware defined radio in existing goTenna mesh networks. This \nvulnerability can be exploited if the device is being used in an \nunencrypted environment or if the cryptography has already been \ncompromised. It is advised to use encryption shared with local QR code \nfor higher security operations."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1390",
              "description": "CWE-1390",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-17T16:59:45.950Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\n\u003cp\u003egoTenna recommends that users mitigate these vulnerabilities by performing the following updates:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eATAK Plugin: v2.0.7 or greater\u003c/li\u003e\n\u003c/ul\u003e\u003cbr\u003e"
            }
          ],
          "value": "goTenna recommends that users mitigate these vulnerabilities by performing the following updates:\n\n\n\n  *  ATAK Plugin: v2.0.7 or greater"
        }
      ],
      "source": {
        "advisory": "ICSA-24-270-05",
        "discovery": "EXTERNAL"
      },
      "title": "goTenna Pro ATAK Plugin Weak Authentication",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003egoTenna recommends that users follow these mitigations:\u003c/p\u003e\n\u003cp\u003eGeneral Mitigations for All Users/Clients\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUse Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\u003c/li\u003e\n\u003cli\u003eSecure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\u003c/li\u003e\n\u003cli\u003eFollow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ePro-Specific Mitigations\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eShare Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\u003c/li\u003e\n\u003cli\u003eSecure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\u003c/li\u003e\n\u003cli\u003eLeverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf you have any questions please contact \u003ca target=\"_blank\" rel=\"nofollow\"\u003eprosupport@gotenna.com\u003c/a\u003e\u003c/p\u003egoTenna recommends that users Follow their secure operating \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.gotennapro.com/s/article/Secure-Operating\"\u003ebest practices\u003c/a\u003e."
            }
          ],
          "value": "goTenna recommends that users follow these mitigations:\n\n\nGeneral Mitigations for All Users/Clients\n\n\n\n  *  Use Discreet Callsigns and Key Names: Choose callsigns and key names\n that do not disclose sensitive information, such as your location, team\n size, or team name. Avoid using any identifiers that could \ninadvertently reveal your location or the composition of your team.\n\n  *  Secure End-User Devices: Implement strong security measures on all \nend-user devices, including the use of encryption and ensuring regular \nsoftware updates.\n\n  *  Follow Key Rotation Best Practices: Regularly rotate encryption keys\n according to industry best practices to maintain ongoing security.\n\n\n\n\nPro-Specific Mitigations\n\n\n\n  *  Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.\n\n  *  Secure Broadcasting: When broadcasting, ensure you are in a secured \narea and transmit the key at a reduced power of 0.5 Watts to limit \nexposure.\n\n  *  Leverage Layered Encryption: Implement layered encryption keys to \nsecurely manage communications, whether interacting with individuals or \nteams.\n\n\n\n\nIf you have any questions please contact  best practices https://support.gotennapro.com/s/article/Secure-Operating ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-41722",
    "datePublished": "2024-09-26T17:39:46.735Z",
    "dateReserved": "2024-09-24T14:22:20.129Z",
    "dateUpdated": "2024-10-17T16:59:45.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}