PatchSiren cyber security CVE debrief
CVE-2024-43108 goTenna CVE debrief
goTenna Pro ATAK Plugin versions 1.9.12 and earlier use AES-CTR encryption for short messages without integrity checking mechanisms, leaving ciphertext malleable to attackers with message access. The vulnerability allows integrity compromise (CVSS 5.3 MEDIUM) but does not enable confidentiality breaches or availability impacts. CISA published this advisory on September 26, 2024, with an update on October 17, 2024 revising the vulnerability overview and mitigations. goTenna released ATAK Plugin version 2.0.7 with enhanced encryption protocols to address this weakness.
- Vendor
- goTenna
- Product
- Pro ATAK Plugin
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-26
- Original CVE updated
- 2024-10-17
- Advisory published
- 2024-09-26
- Advisory updated
- 2024-10-17
Who should care
Organizations using goTenna Pro ATAK Plugin for tactical communications in military, emergency response, law enforcement, or critical infrastructure protection contexts where message integrity is essential for operational safety and decision-making.
Technical summary
The goTenna Pro ATAK Plugin implements AES-CTR mode encryption without message authentication codes (MAC) or authenticated encryption with associated data (AEAD). CTR mode produces a keystream XORed with plaintext; without integrity verification, an attacker with ciphertext access can flip bits in the ciphertext to produce predictable changes in decrypted plaintext. The attack requires adjacent network access (AV:A) and high attack complexity (AC:H) per CVSS 3.1 scoring. The vulnerability affects confidentiality and availability not at all (C:N, A:N) but enables high integrity impact (I:H). Version 2.0.7 introduces enhanced encryption protocols presumed to add authentication. Operational mitigations include key management hygiene, reduced transmission power, and layered encryption architectures.
Defensive priority
MEDIUM
Recommended defensive actions
- Update goTenna Pro ATAK Plugin to version 2.0.7 or greater to obtain enhanced encryption protocols with integrity protection
- Use discreet callsigns and key names that do not disclose location, team size, or team composition
- Implement strong device security measures including encryption and regular software updates on all end-user devices
- Rotate encryption keys regularly according to industry best practices
- Exchange encryption keys via QR code rather than over-the-air transmission when possible
- When broadcasting keys, operate from secured areas at reduced power (0.5 Watts) to limit exposure
- Implement layered encryption keys for secure individual and team communications
- Contact [email protected] for technical support questions
Evidence notes
Advisory ICSA-24-270-05 (Update A) from CISA documents the AES-CTR implementation without message authentication codes or authenticated encryption, confirming malleability under attacker access. CVSS 3.1 vector AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N reflects adjacent network attack vector, high attack complexity, and high integrity impact. Remediation guidance specifies ATAK Plugin v2.0.7 or greater as the fixed version.
Official resources
-
CVE-2024-43108 CVE record
CVE.org
-
CVE-2024-43108 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-26