CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2020-24722

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX value lacks a checksum, allowing bitflipping to amplify a contamination attack. This can cause metadata deanonymization and risk-score inflation. NOTE: the vendor's position is "We do not believe that TX power authentication would be a useful defense against relay attacks.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.007

EPSS Ranking 71.1%

CVSS Severity

CVSS v3 Score 5.9

CVSS v2 Score 2.6

References

http://packetstormsecurity.com/files/159496/GAEN-Protocol-Metadata-Deanonymization-Risk-Score-Inflation.html
http://seclists.org/fulldisclosure/2020/Oct/12
https://blog.google/inside-google/company-announcements/update-exposure-notifications
https://github.com/google/exposure-notifications-internals/blob/main/en-risks-and-mitigations-faq.md#additional-considerations
http://packetstormsecurity.com/files/159496/GAEN-Protocol-Metadata-Deanonymization-Risk-Score-Inflation.html
http://seclists.org/fulldisclosure/2020/Oct/12
https://blog.google/inside-google/company-announcements/update-exposure-notifications
https://github.com/google/exposure-notifications-internals/blob/main/en-risks-and-mitigations-faq.md#additional-considerations

Products affected by CVE-2020-24722

Exposure Notifications Project » Exposure Notifications » Version: 2020-10-05

cpe:2.3:a:exposure_notifications_project:exposure_notifications:2020-10-05

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2020-24722

Products

Pricing

Contact Us