CVE-2024-47130

Missing Authentication for Critical Function (CWE-306)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 8.7EPSS 0.04%High
CVE info copied to clipboard

Summary

The goTenna Pro series allows unauthenticated attackers to remotely update the local public keys used for P2P and Group messages.

Impact

This vulnerability could allow attackers to compromise the integrity and confidentiality of P2P and Group messages in goTenna Pro series devices. Attackers could potentially intercept, modify, or impersonate legitimate communications by updating the local public keys without authentication. This could lead to unauthorized access to sensitive information, man-in-the-middle attacks, or disruption of communication channels.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Based on the provided information, there is no mention of an available patch for this vulnerability.

Mitigation

While no specific mitigation is mentioned, general recommendations include: 1. Implement strong authentication mechanisms for key management operations. 2. Monitor and log all attempts to update public keys. 3. Use network segmentation to limit access to goTenna Pro devices. 4. Keep the goTenna Pro series firmware up-to-date with the latest security patches when they become available. 5. Consider disabling remote key update functionality if not required. 6. Implement additional layers of encryption for sensitive communications.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-47130. See article

Sep 26, 2024 at 2:41 PM / All CISA Advisories
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 26, 2024 at 4:43 PM
CVE Assignment

NVD published the first details for CVE-2024-47130

Sep 26, 2024 at 6:15 PM
CVSS

A CVSS base score of 8.7 has been assigned.

Sep 26, 2024 at 6:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 27, 2024 at 9:37 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 4, 2024 at 5:50 PM / nvd
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 4, 2024 at 6:00 PM / nvd
Static CVE Timeline Graph

Affected Systems

Gotenna/gotenna_pro
+null more

Attack Patterns

CAPEC-12: Choosing Message Identifier
+null more

CVSS V3.1

Attack Vector:Adjacent_network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI