Category: Security Feeds

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: ADAM-5630
Vulnerabilities: Use of Persistent Cookies Containing Sensitive Information

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to hijack a legitimate user’s session, perform cross-site request forgery, or cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Advantech’s ADAM are affected:

Advantech ADAM-5630: versions prior to v2.5.2

3.2 Vulnerability Overview
3.2.1 USE OF PERSISTENT COOKIES CONTAINING SENSITIVE INFORMATION CWE-539
Cookies of authenticated users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.
CVE-2024-39275 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-39275. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
Cross-site request forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
CVE-2024-28948 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-28948. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 WEAK ENCODING FOR PASSWORD CWE-261
User credentials are shared in plain text, between the device and the user source device, during the login process.
CVE-2024-34542 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-34542. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The device has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands.
CVE-2024-39364 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2024-39364. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER
Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.
4. MITIGATIONS
Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

September 26, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: ADAM-5630
Vulnerabilities: Use of Persistent Cookies Containing Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to hijack a legitimate user’s session, perform cross-site request forgery, or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Advantech’s ADAM are affected:

Advantech ADAM-5630: versions prior to v2.5.2

3.2 Vulnerability Overview

3.2.1 USE OF PERSISTENT COOKIES CONTAINING SENSITIVE INFORMATION CWE-539

Cookies of authenticated users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.

CVE-2024-39275 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39275. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Cross-site request forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

CVE-2024-28948 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-28948. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 WEAK ENCODING FOR PASSWORD CWE-261

User credentials are shared in plain text, between the device and the user source device, during the login process.

CVE-2024-34542 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-34542. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The device has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands.

CVE-2024-39364 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39364. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.

4. MITIGATIONS

Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Low attack complexity
Vendor: goTenna
Equipment: Pro ATAK Plugin
Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Insertion of Sensitive Information Into Sent Data

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of goTenna Pro ATAK Plugin, a mesh networking device, are affected:

goTenna Pro ATAK Plugin: Versions 1.9.12 and prior

3.2 Vulnerability Overview
3.2.1 Weak Password Requirements CWE-521
The goTenna Pro ATAK Plugin uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.
CVE-2024-45374 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-45374. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 Insecure Storage of Sensitive Information CWE-922
In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.
CVE-2024-43694 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-43694. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 Missing Support for Integrity Check CWE-353
The goTenna Pro ATAK Plugin use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.
CVE-2024-43108 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).
A CVSS v4 score has also been calculated for CVE-2024-43108. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.4 Cleartext Transmission of Sensitive Information CWE-319
The goTenna Pro ATAK Plugin does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.
CVE-2024-45838 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-45838. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.5 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338
The goTenna Pro ATAK Plugin does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.
CVE-2024-45723 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-45723. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.6 Weak Authentication CWE-1390
In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.
CVE-2024-41722 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41722. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.7 Insertion of Sensitive Information Into Sent Data CWE-201
The goTenna Pro ATAK Plugin broadcast key name is always sent unencrypted and could reveal the location of operation.
CVE-2024-41931 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41931. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.8 Observable Response Discrepancy CWE-204
The goTenna Pro ATAK Plugin has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.
CVE-2024-41715 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41715. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.9 Insertion of Sensitive Information Into Sent Data CWE-201
goTenna Pro ATAK Plugin by default enables frequent unencrypted Position, Location and Information (PLI) transmission. This transmission is done without user’s knowledge, revealing the exact location transmitted in unencrypted form.
CVE-2024-43814 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-43814. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services and Facilities
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
4. MITIGATIONS
goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

ATAK Plugin: v2.0.7 or greater

goTenna recommends that users follow these mitigations:
General Mitigations for All Users/Clients

Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

September 26, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Low attack complexity
Vendor: goTenna
Equipment: Pro ATAK Plugin
Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Insertion of Sensitive Information Into Sent Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro ATAK Plugin, a mesh networking device, are affected:

goTenna Pro ATAK Plugin: Versions 1.9.12 and prior

3.2 Vulnerability Overview

3.2.1 Weak Password Requirements CWE-521

The goTenna Pro ATAK Plugin uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

CVE-2024-45374 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45374. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Insecure Storage of Sensitive Information CWE-922

In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.

CVE-2024-43694 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-43694. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Missing Support for Integrity Check CWE-353

The goTenna Pro ATAK Plugin use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.

CVE-2024-43108 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).

A CVSS v4 score has also been calculated for CVE-2024-43108. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 Cleartext Transmission of Sensitive Information CWE-319

The goTenna Pro ATAK Plugin does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.

CVE-2024-45838 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45838. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338

The goTenna Pro ATAK Plugin does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.

CVE-2024-45723 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45723. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.6 Weak Authentication CWE-1390

In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.

CVE-2024-41722 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41722. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Insertion of Sensitive Information Into Sent Data CWE-201

The goTenna Pro ATAK Plugin broadcast key name is always sent unencrypted and could reveal the location of operation.

CVE-2024-41931 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41931. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Observable Response Discrepancy CWE-204

The goTenna Pro ATAK Plugin has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.

CVE-2024-41715 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41715. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Insertion of Sensitive Information Into Sent Data CWE-201

goTenna Pro ATAK Plugin by default enables frequent unencrypted Position, Location and Information (PLI) transmission. This transmission is done without user’s knowledge, revealing the exact location transmitted in unencrypted form.

CVE-2024-43814 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-43814. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services and Facilities
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.

4. MITIGATIONS

goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

ATAK Plugin: v2.0.7 or greater

goTenna recommends that users follow these mitigations:

General Mitigations for All Users/Clients

Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Atelmo
Equipment: Atemio AM 520 HD Full HD Satellite Receiver
Vulnerability: OS Command Injection

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthorized attacker to execute system commands with elevated privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Atelmo Atemio AM 520 HD, a satellite receiver, are affected:

Atemio AM 520 HD: TitanNit 2.01 and prior

3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the ‘getcommand’ query within the application, allowing the attacker to gain root access.
CVE-2024-9166 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-9166. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Germany
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to Atelmo.
4. MITIGATIONS
Atelmo has stated that this product has been discontinued. There are no service or support addresses that can be contacted.
For more information, contact Atelmo.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

September 26, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Atelmo
Equipment: Atemio AM 520 HD Full HD Satellite Receiver
Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized attacker to execute system commands with elevated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Atelmo Atemio AM 520 HD, a satellite receiver, are affected:

Atemio AM 520 HD: TitanNit 2.01 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the ‘getcommand’ query within the application, allowing the attacker to gain root access.

CVE-2024-9166 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9166. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Germany
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to Atelmo.

4. MITIGATIONS

Atelmo has stated that this product has been discontinued. There are no service or support addresses that can be contacted.

For more information, contact Atelmo.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 26, 2024: Initial Publication
 Read More

 ​CISA released five Industrial Control Systems (ICS) advisories on September 26, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

IICSA-24-270-01 Advantech ADAM-5550
ICSA-24-270-02 Advantech ADAM-5630
ICSA-24-270-03 Atelmo Atemio AM 520 HD Full HD Satellite Receiver
ICSA-24-270-04 goTenna Pro X and Pro X2
ICSA-24-270-05 goTenna Pro ATAK Plugin

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released five Industrial Control Systems (ICS) advisories on September 26, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

IICSA-24-270-01 Advantech ADAM-5550
ICSA-24-270-02 Advantech ADAM-5630
ICSA-24-270-03 Atelmo Atemio AM 520 HD Full HD Satellite Receiver
ICSA-24-270-04 goTenna Pro X and Pro X2
ICSA-24-270-05 goTenna Pro ATAK Plugin

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: ADAM-5550
Vulnerabilities: Weak Encoding for Password, Cross-site Scripting

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to intercept the easily decodable credentials of a legitimate user to gain full access to the device and could plant malicious code on the web page of the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Advantech’s ADAM, are affected:

Advantech ADAM 5550: All versions

3.2 Vulnerability Overview
3.2.1 WEAK ENCODING FOR PASSWORD CWE-261
User credentials are shared with a low level of encryption, consisting of base 64 encoding.
CVE-2024-37187 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-37187. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
Advantech ADAM 5550’s web application includes a “logs” page where all the HTTP requests received are displayed to the user. The device doesn’t correctly neutralize malicious code when parsing HTTP requests to generate page output.
CVE-2024-38308 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-38308. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER
Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.
4. MITIGATIONS
ADAM-5550 is currently being phased out, and Advantech strongly recommends all ADAM-5550 users upgrade to ADAM-5630 firmware version 2.5.2 or higher.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

September 26, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: ADAM-5550
Vulnerabilities: Weak Encoding for Password, Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to intercept the easily decodable credentials of a legitimate user to gain full access to the device and could plant malicious code on the web page of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Advantech’s ADAM, are affected:

Advantech ADAM 5550: All versions

3.2 Vulnerability Overview

3.2.1 WEAK ENCODING FOR PASSWORD CWE-261

User credentials are shared with a low level of encryption, consisting of base 64 encoding.

CVE-2024-37187 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-37187. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Advantech ADAM 5550’s web application includes a “logs” page where all the HTTP requests received are displayed to the user. The device doesn’t correctly neutralize malicious code when parsing HTTP requests to generate page output.

CVE-2024-38308 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38308. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.

4. MITIGATIONS

ADAM-5550 is currently being phased out, and Advantech strongly recommends all ADAM-5550 users upgrade to ADAM-5630 firmware version 2.5.2 or higher.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Low attack complexity
Vendor: goTenna
Equipment: Pro series
Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Improper Restriction of Communication Channel to Intended Endpoints, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Missing Authentication for Critical Function

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of goTenna Pro series, mesh networking device, are affected:

goTenna Pro App: versions 1.6.1 and prior

3.2 Vulnerability Overview
3.2.1 Weak Password Requirements CWE-521
The goTenna Pro series uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.
CVE-2024-47121 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47121. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 Insecure Storage of Sensitive Information CWE-922
In the goTenna Pro application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys.
CVE-2024-47122 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47122. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 Missing Support for Integrity Check CWE-353
The goTenna Pro series use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.
CVE-2024-47123 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).
A CVSS v4 score has also been calculated for CVE-2024-47123. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.4 Cleartext Transmission of Sensitive Information CWE-319
The goTenna pro series does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.
CVE-2024-47124 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47124. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.5 Improper Restriction of Communication Channel to Intended Endpoints CWE-923
The goTenna Pro series does not authenticate public keys which allows an unauthenticated attacker to intercept and manipulate messages.
CVE-2024-47125 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47125. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.6 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338
The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.
CVE-2024-47126 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47126. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.7 Weak Authentication CWE-1390
In the goTenna Pro there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.
CVE-2024-47127 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47127. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.8 Insertion of Sensitive Information Into Sent Data CWE-201
The goTenna Pro broadcast key name is always sent unencrypted and could reveal the location of operation.
CVE-2024-47128 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47128. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.9 Observable Response Discrepancy CWE-204
The goTenna Pro has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.
CVE-2024-47129 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-47129. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.10 Missing Authentication for Critical Function CWE-306
The goTenna Pro series allows unauthenticated attackers to remotely update the local public keys used for P2P and Group messages.
CVE-2024-47130 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-47130. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services, and Facilities
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.
4. MITIGATIONS
goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

Android Pro: v2.0.3 or greater
iOS Pro users please contact goTenna so they can push this update directly to users.

goTenna recommends that users follow these mitigations:
General Mitigations for All Users/Clients

Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

September 26, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Low attack complexity
Vendor: goTenna
Equipment: Pro series
Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Improper Restriction of Communication Channel to Intended Endpoints, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro series, mesh networking device, are affected:

goTenna Pro App: versions 1.6.1 and prior

3.2 Vulnerability Overview

3.2.1 Weak Password Requirements CWE-521

The goTenna Pro series uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

CVE-2024-47121 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47121. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Insecure Storage of Sensitive Information CWE-922

In the goTenna Pro application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys.

CVE-2024-47122 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47122. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Missing Support for Integrity Check CWE-353

The goTenna Pro series use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.

CVE-2024-47123 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).

A CVSS v4 score has also been calculated for CVE-2024-47123. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 Cleartext Transmission of Sensitive Information CWE-319

The goTenna pro series does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.

CVE-2024-47124 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47124. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Improper Restriction of Communication Channel to Intended Endpoints CWE-923

The goTenna Pro series does not authenticate public keys which allows an unauthenticated attacker to intercept and manipulate messages.

CVE-2024-47125 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47125. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.6 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338

The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.

CVE-2024-47126 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47126. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Weak Authentication CWE-1390

In the goTenna Pro there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.

CVE-2024-47127 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47127. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Insertion of Sensitive Information Into Sent Data CWE-201

The goTenna Pro broadcast key name is always sent unencrypted and could reveal the location of operation.

CVE-2024-47128 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47128. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Observable Response Discrepancy CWE-204

The goTenna Pro has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.

CVE-2024-47129 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47129. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.10 Missing Authentication for Critical Function CWE-306

The goTenna Pro series allows unauthenticated attackers to remotely update the local public keys used for P2P and Group messages.

CVE-2024-47130 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47130. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services, and Facilities
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.

4. MITIGATIONS

goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

Android Pro: v2.0.3 or greater
iOS Pro users please contact goTenna so they can push this update directly to users.

goTenna recommends that users follow these mitigations:

General Mitigations for All Users/Clients

Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication
 Read More

 ​Today, the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  
Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.
To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage.  

Today, the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.

Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.  

Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.

To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage. 

 Read More

 ​As Hurricane Helene approaches, CISA urges users to remain on alert for potential malicious cyber activity. Fraudulent emails and social media messages—often containing malicious links or attachments—are common after major natural disasters. Exercise caution in handling emails with hurricane-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events. 
CISA encourages users to review the following resources to avoid falling victim to malicious cyber activity: 

Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity, 

Consumer Financial Protection Bureau’s Frauds and scams, and 

CISA’s Phishing Guidance, Stopping the Attack Cycle at Phase One to help organizations reduce likelihood and impact of successful phishing attacks.  

 Read More

​The FBI is warning timeshare owners to be wary of a prevalent telemarketing scam involving a violent Mexican drug cartel that tries to trick elderly people into believing someone wants to buy their property. This is the story of a couple who recently lost more than $50,000 to an ongoing timeshare scam that spans at least two dozen phony escrow, title and realty firms. 

The FBI is warning timeshare owners to be wary of a prevalent telemarketing scam involving a violent Mexican drug cartel that tries to trick people into believing someone wants to buy their property. This is the story of a couple who recently lost more than $50,000 to an ongoing timeshare scam that spans at least two dozen phony escrow, title and realty firms.

One evening in late 2022, someone phoned Mr. & Mrs. Dimitruk, a retired couple from Ontario, Canada and asked whether they’d ever considered selling their timeshare in Florida. The person on the phone referenced their timeshare address and said they had an interested buyer in Mexico. Would they possibly be interested in selling it?

The Dimitruks had purchased the timeshare years ago, but it wasn’t fully paid off — they still owed roughly $5,000 before they could legally sell it. That wouldn’t be an issue for this buyer, the man on the phone assured them.

With a few days, their contact at a escrow company in New York called ecurrencyescrow[.]llc faxed them forms to fill out and send back to start the process of selling their timeshare to the potential buyer, who had offered an amount that was above what the property was likely worth.

After certain forms were signed and faxed, the Dimitruks were asked to send a small wire transfer of more than $3,000 to handle “administrative” and “processing” fees, supposedly so that the sale would not be held up by any bureaucratic red tape down in Mexico.

These document exchanges went on for almost a year, during which time the real estate brokers made additional financial demands, such as tax payments on the sale, and various administrative fees. Mrs. Dimitruk even sent them a $5,000 wire to pay off her remaining balance on the timeshare they thought they were selling.

In a phone interview with KrebsOnSecurity, Mr. Dimitruk said they lost over $50,000.

“They kept calling me after that saying, ‘Hey your money is waiting for you here’,” said William Dimitruk, a 73-year-old retired long-haul truck driver. “They said ‘We’re going to get in trouble if the money isn’t returned to you,’ and gave me a toll-free number to call them at.”

In the last call he had with the scammers, the man on the other end of the line confessed that some bad people had worked for them previously, but that those employees had been fired.

“Near the end of the call he said, ‘You’ve been dealing with some bad people and we fired all those bad guys,’” Dimitruk recalled. “So they were like, yeah it’s all good. You can go ahead and pay us more and we’ll send you your money.”

According to the FBI, there are indeed some very bad people behind these scams. The FBI warns the timeshare fraud schemes have been linked to the Jalisco New Generation drug cartel in Mexico.

In July 2024, the FBI and the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) warned the Jalisco cartel is running boiler room-like call centers that target people who own timeshares:

“Mexico-based [transnational criminal organizations] such as the Jalisco New Generation Cartel are increasingly targeting U.S. owners of timeshares in Mexico through complex and often yearslong telemarketing, impersonation, and advance fee schemes. They use the illicit proceeds to diversify their revenue streams and finance other criminal activities, including the manufacturing and trafficking of illicit fentanyl and other synthetic drugs into the United States.”

A July 2024 CBS News story about these scams notes that U.S. and Mexican officials last year confirmed that as many as eight young workers were confirmed dead after they apparently tried to quit jobs at a call center operated by the Jalisco cartel.

The phony escrow company the Dimitruks dealt with — ecurrencyescrow[.]llc — is no longer online. But the documents sent by their contact there referenced a few other still-active domains, including realestateassetsllc[.]com

The original registration records of both of these domains reference another domain — datasur[.]host — that is associated with dozens of other real estate and escrow-themed domains going back at least four years. Some of these domains are no longer active, while others have been previously suspended at different hosting providers.

061nyr[.]net
061-newyorkrealty[.]net
1nydevelopersgroupllc[.]com
1oceanrealtyllc[.]com
advancedclosingservicesllc[.]com
americancorporatetitle[.]com
asesorialegalsiglo[.]com
atencion-tributaria.[]com
carolinasctinc[.]net
closingandsettlementservices[.]com
closingandsettlementsllc[.]com
closingsettlementllc[.]com
crefaescrowslimited[.]net
ecurrencyescrow[.]llc
empirerllc[.]com
fiduciarocitibanamex[.]com
fondosmx[.]org
freightescrowcollc[.]com
goldmansachs-investment[.]com
hgvccorp[.]com
infodivisionfinanciera[.]com
internationaladvisorllc[.]com
jadehillrealtyllc[.]com
lewisandassociaterealty[.]com
nyreputable[.]org
privateinvestment.com[.]co
realestateassetsllc[.]com
realestateisinc[.]com
settlementandmanagement[.]com
stllcservices[.]com
stllcservices[.]net
thebluehorizonrealtyinc[.]com
walshrealtyny[.]net
windsorre[.]com

By loading ecurrencyescrowllc[.]com into the Wayback Machine at archive.org, we can see text at the top of the page that reads, “Visit our resource library for videos and tools designed to make managing your escrow disbursements a breeze.”

Searching on that bit of text at publicwww.com shows the same text appears on the website of an escrow company called Escshieldsecurity Network (escshieldsecurity[.]com). This entity claims to have been around since 2009, but the domain itself is less than two years old, and there is no contact information associated with the site. The Pennsylvania Secretary of State also has no record of a business by this name at its stated address.

Incredibly, Escshieldsecurity pitches itself as a solution to timeshare closing scams.

“By 2015, cyber thieves had realized the amount of funds involved and had targeted the real estate, title and settlement industry,” the company’s website states. “As funding became more complex and risky, agents and underwriters had little time or resources to keep up. The industry needed a simple solution that allowed it to keep pace with new funding security needs.”

The domains associated with this scam will often reference legitimate companies and licensed professionals in the real estate and closing businesses, but those real professionals often have no idea they’re being impersonated until someone starts asking around. The truth is, the original reader tip that caused KrebsOnSecurity to investigate this scheme came from one such professional whose name and reputation was being used to scam others.

It is unclear whether the Dimitruks were robbed by people working for the Jalisco cartel, but it is clear that whoever is responsible for managing many of the above-mentioned domains — including the DNS provider datasur[.]host — recently compromised their computer with information-stealing malware.

That’s according to data collected by the breach tracking service Constella Intelligence [Constella is currently an advertiser on KrebsOnSecurity]. Constella found that someone using the email address exposed in the DNS records for datasur[.]host — jyanes1920@gmail.com — also was relieved of credentials for managing most of the domains referenced above at a Mexican hosting provider.

It’s not unusual for victims of such scams to keep mum about their misfortune. Sometimes, it’s shame and embarrassment that prevents victims from filing a report with the local authorities. But in this case, victims who learn they’ve been robbed by a violent drug cartel have even more reason to remain silent.

William Dimitruk acknowledged that he and his wife haven’t yet filed a police report. But after acknowledging it could help prevent harm to other would-be victims, Mr. Dimitruk said he would consider it.

There is another reason victims of scams like this should notify authorities: Occasionally, the feds will bust up one of these scam operations and seize funds that were stolen from victims. But those investigations can take years, and it can be even more years before the government starts trying to figure out who got scammed and how to remunerate victims. All too often, the real impediment to returning some of those losses is that the feds have no idea who the victims are.

If you are the victim of a timeshare scam like this, please consider filing a report with the FBI’s Internet Crime Complaint Center (IC3), at ic3.gov. Other places where victims may wish to file a complaint:

Federal Trade Commission – https://www.ftccomplaintassistant.gov
International Consumer Protection and Enforcement Network – https://www.econsumer.gov/en
Profeco – Mexican Attorney General – https://consulmex.sre.gob.mx/montreal/index.php/en/foreigners/services-foreigners/318-consumer-protection

 

​Read More

 ​Citrix released security updates to address multiple vulnerabilities in XenServer and Citrix Hypervisor. A cyber threat actor could exploit some of these vulnerabilities to cause a denial of service condition. 
CISA encourages users and administrators to review the following and apply necessary updates: 

XenServer and Citrix Hypervisor Security Update for CVE-2024-45817 

Citrix released security updates to address multiple vulnerabilities in XenServer and Citrix Hypervisor. A cyber threat actor could exploit some of these vulnerabilities to cause a denial of service condition. 

CISA encourages users and administrators to review the following and apply necessary updates: 

XenServer and Citrix Hypervisor Security Update for CVE-2024-45817
 Read More