Vulnerabilites related to ETSI - TETRA Standard
CVE-2022-24403 (GCVE-0-2022-24403)
Vulnerability from cvelistv5
Published
2023-12-05 13:54
Modified
2024-08-03 04:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Summary
The TETRA TA61 identity encryption function internally uses a 64-bit value derived exclusively from the SCK (Class 2 networks) or CCK (Class 3 networks). The structure of TA61 allows for efficient recovery of this 64-bit value, allowing an adversary to encrypt or decrypt arbitrary identities given only three known encrypted/unencrypted identity pairs.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ETSI | TETRA Standard |
Version: TA61 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "TETRA Standard",
"vendor": "ETSI",
"versions": [
{
"status": "affected",
"version": "TA61"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TETRA TA61 identity encryption function internally uses a 64-bit value derived exclusively from the SCK (Class 2 networks) or CCK (Class 3 networks). The structure of TA61 allows for efficient recovery of this 64-bit value, allowing an adversary to encrypt or decrypt arbitrary identities given only three known encrypted/unencrypted identity pairs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "De-anonymization attack in TETRA"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-24403",
"datePublished": "2023-12-05T13:54:32.045Z",
"dateReserved": "2022-02-04T04:43:09.527Z",
"dateUpdated": "2024-08-03T04:13:55.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24404 (GCVE-0-2022-24404)
Vulnerability from cvelistv5
Published
2023-10-19 09:31
Modified
2024-08-03 04:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-353 - Missing Support for Integrity Check
Summary
Lack of cryptographic integrity check on TETRA air-interface encrypted traffic. Since a stream cipher is employed, this allows an active adversary to manipulate cleartext data in a bit-by-bit fashion.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ETSI | TETRA Standard |
Version: all |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T14:21:17.085076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T14:21:24.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "TETRA Standard",
"vendor": "ETSI",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Lack of cryptographic integrity check on TETRA air-interface encrypted traffic. Since a stream cipher is employed, this allows an active adversary to manipulate cleartext data in a bit-by-bit fashion."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U/RL:U/RC:R/CR:H/IR:H/AR:H/MAV:A/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:H/MA:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-353",
"description": "Missing Support for Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Ciphertext Malleability in TETRA"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-24404",
"datePublished": "2023-10-19T09:31:43.802Z",
"dateReserved": "2022-02-04T04:43:09.528Z",
"dateUpdated": "2024-08-03T04:13:55.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24402 (GCVE-0-2022-24402)
Vulnerability from cvelistv5
Published
2023-10-19 09:32
Modified
2024-09-12 20:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-334 - Small Space of Random Values
Summary
The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ETSI | TETRA Standard |
Version: TEA1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:31:22.585350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:31:31.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TETRA Standard",
"vendor": "ETSI",
"versions": [
{
"status": "affected",
"version": "TEA1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-334",
"description": "Small Space of Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Intentionally weakened effective strength in TETRA TEA1"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-24402",
"datePublished": "2023-10-19T09:32:23.476Z",
"dateReserved": "2022-02-04T04:43:09.527Z",
"dateUpdated": "2024-09-12T20:31:31.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24400 (GCVE-0-2022-24400)
Vulnerability from cvelistv5
Published
2023-10-19 09:33
Modified
2024-09-12 20:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Summary
A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ETSI | TETRA Standard |
Version: all |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:29:57.134658Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:30:58.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "TETRA Standard",
"vendor": "ETSI",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R/CR:H/IR:H/AR:H/MAV:A/MAC:H/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "DCK pinning attack in TETRA"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-24400",
"datePublished": "2023-10-19T09:33:28.366Z",
"dateReserved": "2022-02-04T04:43:09.526Z",
"dateUpdated": "2024-09-12T20:30:58.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24401 (GCVE-0-2022-24401)
Vulnerability from cvelistv5
Published
2023-10-19 09:32
Modified
2024-08-03 04:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Summary
Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ETSI | TETRA Standard |
Version: all |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "TETRA Standard",
"vendor": "ETSI",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Keystream recovery for arbitrary frames in TETRA"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-24401",
"datePublished": "2023-10-19T09:32:53.702Z",
"dateReserved": "2022-02-04T04:43:09.526Z",
"dateUpdated": "2024-08-03T04:13:55.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}