CVE-2024-45374

Name of the Vulnerable Software and Affected Versions goTenna Pro ATAK plugin (affected versions not specified)

Description The issue concerns the use of weak passwords for sharing encryption keys via the key broadcast method in the goTenna Pro ATAK plugin. If the broadcasted encryption key is captured and the password is cracked via a brute force attack, it is possible to decrypt the key and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This issue only applies when the key is broadcasted over RF. Additionally, the encryption keys are stored along with a static IV on the device, allowing for complete decryption of keys stored on the device and enabling an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.

Recommendations As a temporary workaround, consider using local QR encryption key sharing for additional security. Restrict the use of the key broadcast method over RF to minimize the risk of exploitation. Avoid using the static IV for encryption key storage until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.