PatchSiren cyber security CVE debrief
CVE-2024-41722 goTenna CVE debrief
A medium-severity vulnerability in the goTenna Pro ATAK Plugin allows message injection with arbitrary GID and Callsign values using software-defined radio in existing goTenna mesh networks. The vulnerability is exploitable when devices operate in unencrypted environments or when cryptography has been compromised. The issue was disclosed by CISA on September 26, 2024, with an update published October 17, 2024 revising the Vulnerability Overview and Mitigations sections. Affected versions are 1.9.12 and earlier. goTenna has released version 2.0.7 or greater to address this vulnerability. The vendor additionally recommends operational security measures including QR-code-based encryption key sharing, discreet callsign selection, key rotation, reduced-power broadcasting, and layered encryption for team communications.
- Vendor
- goTenna
- Product
- Pro ATAK Plugin
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations deploying goTenna Pro mesh networks for tactical or emergency communications, particularly those using the ATAK Plugin integration. Security teams responsible for operational technology (OT) and industrial control system (ICS) communications in field environments. Military, law enforcement, and emergency response units relying on goTenna Pro for off‑grid communications.
Technical summary
The goTenna Pro ATAK Plugin versions 1.9.12 and earlier contain a vulnerability permitting arbitrary message injection with spoofed GID and Callsign values via software-defined radio on existing goTenna mesh networks. Exploitation requires either absence of encryption or prior cryptographic compromise. The attack vector is adjacent network (AV:A) with low attack complexity. Confidentiality impact is high; integrity and availability impacts are none. Remediation is available through plugin update to version 2.0.7 or greater. Defense in depth requires enabling encryption with QR‑code‑based key exchange, operational security for callsign selection, key rotation, reduced‑power key broadcasting, and layered encryption architectures.
Defensive priority
medium
Recommended defensive actions
- Update goTenna Pro ATAK Plugin to version 2.0.7 or greater
- Enable encryption using QR‑code‑based key sharing for all operational deployments
- Select discreet callsigns and key names that do not reveal location, team size, or team identity
- Implement regular encryption key rotation following industry best practices
- Secure all end‑user devices with encryption and maintain current software updates
- When broadcasting encryption keys, do so from secured areas at reduced power (0.5 Watts)
- Apply layered encryption keys to manage individual and team communications securely
- Contact goTenna Pro support at [email protected] for assistance with secure operating practices
Evidence notes
Vulnerability description and remediation guidance sourced from CISA CSAF advisory ICSA-24-270-05. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates adjacent network attack vector with high confidentiality impact. Affected product version <=1.9.12 confirmed in CSAF product tree. Remediation version 2.0.7 or greater specified in vendor mitigations. Update A (October 17, 2024) revised Vulnerability Overview and Mitigations per revision history.
Official resources
-
CVE-2024-41722 CVE record
CVE.org
-
CVE-2024-41722 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26