CVE-2024-47123 – The goTenna Pro App uses AES-CTR encryption wit... (How to Fix)

Q: What is the severity of CVE-2024-47123?

CVE-2024-47123 has a CVSS score of 5.3 (MEDIUM). The goTenna Pro App uses AES-CTR encryption without integrity checking, allowing attackers who can access encrypted messages to modify their content without detection. This affects all users of vulnerable versions of the goTenna Pro App who send encrypted messages.

📋 TL;DR

The goTenna Pro App uses AES-CTR encryption without integrity checking, allowing attackers who can access encrypted messages to modify their content without detection. This affects all users of vulnerable versions of the goTenna Pro App who send encrypted messages.

💻 Affected Systems

Products:

goTenna Pro App

Versions: Versions prior to current release (specific version not provided in CVE)

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects encrypted messages using the vulnerable AES-CTR implementation without integrity checking.

📦 What is this software?

Gotenna Pro by Gotenna

View all CVEs affecting Gotenna Pro →

Gotenna Pro by Gotenna

View all CVEs affecting Gotenna Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify encrypted messages to deliver malicious payloads, redirect communications, or inject false information while appearing legitimate.

🟠

Likely Case

Message tampering leading to data integrity issues, potential misinformation, or manipulation of communication content.

🟢

If Mitigated

With proper integrity checking (like AES-GCM), messages remain confidential and tamper-evident.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to encrypted messages in transit or storage. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Current release (specific version not provided)

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04

Restart Required: Yes

Instructions:

1. Open app store (Google Play Store or Apple App Store)
2. Search for 'goTenna Pro'
3. Check for updates
4. Install latest version
5. Restart the app

🔧 Temporary Workarounds

Disable Encrypted Messages

all

Use unencrypted messages only (not recommended for sensitive communications)

🧯 If You Can't Patch

Avoid sending sensitive information via encrypted messages in the app
Use alternative secure communication methods for critical data

🔍 How to Verify

Check if Vulnerable:

Check app version in settings. If version is older than current release, it's likely vulnerable.

Check Version:

Open goTenna Pro App → Settings → About/Version

Verify Fix Applied:

Update to latest version from official app store and confirm version number matches current release.

📡 Detection & Monitoring

Log Indicators:

Unusual message modification patterns
Failed integrity checks (if implemented post-fix)

Network Indicators:

Man-in-the-middle attacks targeting goTenna communications
Unusual traffic patterns around message transmission

SIEM Query:

Not applicable - primarily client-side mobile app vulnerability

📊 Metadata

CVE ID: CVE-2024-47123

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-353

Published: September 26, 2024

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47123, you might also want to check these: