OTPulse
FeedAboutContact

Traffic Alert and Collision Avoidance System (TCAS) II

Plan Patch8.2ICS-CERT ICSA-25-021-01Jan 21, 2024
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Two vulnerabilities (CVE-2024-11166 and CVE-2024-9310) in TCAS II version 7.1 and earlier could allow an attacker with physical proximity to manipulate safety systems and cause denial of service. CVE-2024-11166 can be mitigated by upgrading to ACAS X or updating transponders to RTCA DO-181F compliance. No mitigation exists for CVE-2024-9310. These vulnerabilities require very specific conditions to exploit and are not remotely exploitable; they have high attack complexity and are unlikely to be exploited outside laboratory settings.

What this means
What could happen
An attacker with physical proximity to an aircraft's avionics could manipulate TCAS II collision warnings or prevent the system from functioning, potentially compromising the ability to detect and avoid mid-air collisions.
Who's at risk
Aviation operators and air traffic authorities managing aircraft equipped with TCAS II version 7.1 or earlier. This includes commercial airlines, regional carriers, and any organization operating aircraft with legacy TCAS II avionics. Air traffic management facilities that depend on correct TCAS II functioning for separation assurance are also impacted.
How it could be exploited
An attacker would need to be physically near the aircraft (not remotely exploitable) and would need to meet very specific lab-condition requirements to intercept and manipulate avionics signals or system states that TCAS II depends on for collision detection. The advisory notes these are difficult to exploit outside controlled laboratory settings.
Prerequisites
  • Physical proximity to the aircraft's avionics systems or communication pathways
  • Ability to meet very specific lab-condition requirements as noted in the advisory
  • No authentication bypass required under those conditions
affects safety systemsno patch available for legacy TCAS IImanipulation of collision avoidance warningshigh attack complexity mitigates practical risk
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Traffic Alert and Collision Avoidance System (TCAS) II TCAS II: <=7.1≤ 7.1No fix (EOL)
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade affected aircraft to ACAS X (Airborne Collision Avoidance System X) to fully mitigate CVE-2024-11166
HOTFIXUpgrade associated transponders to comply with RTCA DO-181F standard to mitigate CVE-2024-11166
Mitigations - no patch available
0/1
Traffic Alert and Collision Avoidance System (TCAS) II TCAS II: <=7.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGFor CVE-2024-9310: No mitigation currently available from vendor; monitor CISA advisories for future updates
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1370bbb7-faca-45de-b22e-b5b33593028e
Traffic Alert and Collision Avoidance System (TCAS) II | CVSS 8.2 - OTPulse