Vulnerability Description
An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX value lacks a checksum, allowing bitflipping to amplify a contamination attack. This can cause metadata deanonymization and risk-score inflation. NOTE: the vendor's position is "We do not believe that TX power authentication would be a useful defense against relay attacks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Exposure Notifications Project | Exposure Notifications | <= 2020-10-05 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/159496/GAEN-Protocol-Metadata-DeanonymizatiExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Oct/12ExploitMailing ListThird Party Advisory
- https://blog.google/inside-google/company-announcements/update-exposure-notificaThird Party Advisory
- https://github.com/google/exposure-notifications-internals/blob/main/en-risks-anThird Party Advisory
- http://packetstormsecurity.com/files/159496/GAEN-Protocol-Metadata-DeanonymizatiExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Oct/12ExploitMailing ListThird Party Advisory
- https://blog.google/inside-google/company-announcements/update-exposure-notificaThird Party Advisory
- https://github.com/google/exposure-notifications-internals/blob/main/en-risks-anThird Party Advisory
FAQ
What is CVE-2020-24722?
CVE-2020-24722 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX v...
How severe is CVE-2020-24722?
CVE-2020-24722 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24722?
Check the references section above for vendor advisories and patch information. Affected products include: Exposure Notifications Project Exposure Notifications.