CVE-2024-47125 – The goTenna Pro App fails to authenticate publi... (How to Fix)

Q: What is the severity of CVE-2024-47125?

CVE-2024-47125 has a CVSS score of 8.1 (HIGH). The goTenna Pro App fails to authenticate public keys, allowing unauthenticated attackers to intercept and manipulate messages. This affects all users of vulnerable versions of the goTenna Pro App, potentially compromising communication integrity and confidentiality.

📋 TL;DR

The goTenna Pro App fails to authenticate public keys, allowing unauthenticated attackers to intercept and manipulate messages. This affects all users of vulnerable versions of the goTenna Pro App, potentially compromising communication integrity and confidentiality.

💻 Affected Systems

Products:

goTenna Pro App

Versions: All versions prior to current release with enhanced encryption protocols

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects mobile applications used with goTenna Pro mesh networking devices

📦 What is this software?

Gotenna Pro by Gotenna

View all CVEs affecting Gotenna Pro →

Gotenna Pro by Gotenna

View all CVEs affecting Gotenna Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept, modify, or inject false messages into communications, potentially leading to operational disruption, misinformation, or data leakage in critical scenarios.

🟠

Likely Case

Message manipulation leading to communication integrity issues, potential data interception, and loss of trust in the communication system.

🟢

If Mitigated

With proper controls and updates, risk is minimized to acceptable levels with authenticated encryption protocols.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires proximity to target network but doesn't require authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Current release with enhanced encryption protocols

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04

Restart Required: Yes

Instructions:

1. Open your device's app store (Google Play Store or Apple App Store)
2. Search for 'goTenna Pro'
3. If an update is available, tap 'Update'
4. After update completes, restart the app

🔧 Temporary Workarounds

Disable App Usage

all

Temporarily stop using the goTenna Pro App until updated

Network Segmentation

all

Isolate goTenna Pro networks from critical infrastructure

🧯 If You Can't Patch

Discontinue use of goTenna Pro App for sensitive communications
Implement additional encryption layer for critical messages

🔍 How to Verify

Check if Vulnerable:

Check app version in device settings; if not current release with enhanced encryption, you are vulnerable

Check Version:

Check app version in device app settings or app store listing

Verify Fix Applied:

Verify app version matches current release and confirm encryption protocols are functioning

📡 Detection & Monitoring

Log Indicators:

Unexpected message format errors
Authentication failures in communication logs
Unusual message patterns

Network Indicators:

Unencrypted or improperly authenticated message traffic
Suspicious network activity near goTenna devices

SIEM Query:

Search for goTenna Pro app logs with authentication failures or message integrity alerts

📊 Metadata

CVE ID: CVE-2024-47125

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-923

Published: September 26, 2024

Last Updated: October 17, 2024

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47125, you might also want to check these: