Gotenna
CVE-2024-45723
HIGH
Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (hq) · only source for this CVE.
CVSS VectorVendor: hq
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The goTenna Pro ATAK Plugin does not use SecureRandom when generating passwords for sharing cryptographic keys. The random function in use makes it easier for attackers to brute force this password if the broadcasted encryption key is captured over RF. This only applies to the optional broadcast of an encryption key, so it is advised to share the key with local QR code for higher security operations.
AnalysisAI
The goTenna Pro ATAK Plugin does not use SecureRandom when generating passwords for sharing cryptographic keys. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-338. The goTenna Pro ATAK Plugin does not use SecureRandom when generating passwords for sharing cryptographic keys. The random function in use makes it easier for attackers to brute force this password if the broadcasted encryption key is captured over RF. This only applies to the optional broadcast of an encryption key, so it is advised to share the key with local QR code for higher security operations. Affected products include: Gotenna.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. Rated medium severity (CVSS 5.3), th
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated high severity (CVSS 7.3), this v
An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. Rated high severity (CVSS 7.3), this
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated high severity (CVSS 7.1), this v
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated medium severity (CVSS 6.5), this
The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. Rated medium
The goTenna Pro ATAK Plugin uses AES CTR type encryption for short, encrypted messages without any additional integrity
In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. Rated medium severity (CVSS 5.3), this
The goTenna Pro ATAK Plugin's default settings are to share Automatic Position, Location, and Information (PLI) updates
The goTenna Pro ATAK Plugin encryption key name is always sent unencrypted when the key is sent over RF through a broadc
An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. Rated medium severity (CVSS 4.3), th
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today