CVE-2024-47130: Addressing Missing Authentication for Critical Function in goTenna Pro
Understanding CVE-2024-47130: Missing Authentication for Critical Function in goTenna Pro
The CVE-2024-47130 vulnerability is a critical security flaw affecting the goTenna Pro series. Identified by researchers Erwin Karincic, Clayton Smith, and Dale Wooden, this vulnerability allows unauthenticated attackers to remotely update the local public keys used for P2P and Group messages in goTenna Pro devices. This can lead to severe security implications, including unauthorized access to sensitive communications.
Key Details:
CVE ID: CVE-2024-47130
Reported By: Erwin Karincic, Clayton Smith, and Dale Wooden
Affected Product: goTenna Pro
Affected Versions: Versions less than or equal to 1.61
Severity: High (CVSS Score: 8.7)
Issue: Missing Authentication for Critical Function
The vulnerability (CWE-306) stems from a lack of authentication protocols for critical functionalities, specifically the local public keys used in encrypted communications. An attacker with adjacent network access can exploit this to update public keys, leading to potential breaches and unauthorized message interception.
Mitigating CVE-2024-47130: Steps to Secure Your goTenna Pro Devices
To mitigate this vulnerability, goTenna recommends the following updates and best practices:
Software Updates:
- Android Pro: Upgrade to version 2.0.3 or greater.
- iOS Pro Users: Contact goTenna directly to receive the necessary updates.
General Security Practices:
- Use Discreet Callsigns and Key Names: Avoid using identifiers that disclose sensitive information such as location, team size, or team name.
- Secure End-User Devices: Implement strong security measures including encryption and regular software updates.
- Key Rotation: Regularly rotate encryption keys following industry best practices to maintain security integrity.
Pro-Specific Mitigations:
- Share Encryption Keys via QR Code: Utilize QR codes for secure encryption key exchanges.
- Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
- Leverage Layered Encryption: Implement layered encryption keys to securely manage communications.
For further assistance, contact goTenna support at: [email protected].
By following these mitigation strategies, goTenna Pro users can significantly reduce the risk posed by CVE-2024-47130 and enhance their overall security posture.