CVE-2020-24722 : An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in CO

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX value lacks a checksum, allowing bitflipping to amplify a contamination attack. This can cause metadata deanonymization and risk-score inflation. NOTE: the vendor's position is "We do not believe that TX power authentication would be a useful defense against relay attacks.

Published 2020-10-07 15:15:13

Updated 2024-04-11 01:07:57

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2020-24722

Probability of exploitation activity in the next 30 days: 2.42%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 89 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-24722

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.6	LOW	AV:N/AC:H/Au:N/C:N/I:P/A:N	4.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2020-24722

CWE-294 Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-24722

https://github.com/google/exposure-notifications-internals/blob/main/en-risks-and-mitigations-faq.md#additional-considerations

exposure-notifications-internals/en-risks-and-mitigations-faq.md at main · google/exposure-notifications-internals · GitHub
Third Party Advisory
http://seclists.org/fulldisclosure/2020/Oct/12

Full Disclosure: CVE-2020-24722: GAEN Protocol Metadata Deanonymization and Risk-score Inflation Issues
Exploit;Mailing List;Third Party Advisory
https://blog.google/inside-google/company-announcements/update-exposure-notifications

An update on Exposure Notifications
Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/159496/GAEN-Protocol-Metadata-Deanonymization-Risk-Score-Inflation.html

GAEN Protocol Metadata Deanonymization / Risk-Score Inflation ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

Products affected by CVE-2020-24722

Exposure Notifications Project » Exposure Notifications » For Iphone Os
Versions up to, including, (<=) 2020-10-05
cpe:2.3:a:exposure_notifications_project:exposure_notifications:*:*:*:*:*:iphone_os:*:*
Matching versions
Exposure Notifications Project » Exposure Notifications » For Android
Versions up to, including, (<=) 2020-10-05
cpe:2.3:a:exposure_notifications_project:exposure_notifications:*:*:*:*:*:android:*:*
Matching versions

Vulnerability Details : CVE-2020-24722

Exploit prediction scoring system (EPSS) score for CVE-2020-24722

CVSS scores for CVE-2020-24722

CWE ids for CVE-2020-24722

References for CVE-2020-24722

Products affected by CVE-2020-24722