SB2021052614 - Multiple vulnerabilities in Bluetooth Core and Mesh Specifications

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021052614

SB2021052614 - Multiple vulnerabilities in Bluetooth Core and Mesh Specifications

Published: May 26, 2021 Updated: January 26, 2022

Security Bulletin ID SB2021052614
Severity
Low
Patch available
NO
Number of vulnerabilities 7
Exploitation vector Adjecent network
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2020-26555)

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the Bluetooth legacy BR/EDR PIN code pairing. An attacker with physical access can spoof the BD_ADDR of the peer device and complete pairing without knowledge of the PIN.


2) Improper access control (CVE-ID: CVE-2020-26560)

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to an impersonation in the Mesh Provisioning procedure flaw. A remote attacker on the local network can spoof a device being provisioned, authenticate without the AuthValue and perform any operation permitted to a node provisioned on the subnet.


3) Security features bypass (CVE-ID: CVE-2020-26559)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the leak of AuthValue in the Mesh Provisioning procedure. A remote attacker on the local network can perform a brute-force attack to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device.


4) Security features bypass (CVE-ID: CVE-2020-26557)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the use of predictable AuthValue in the Mesh Provisioning procedure. A remote attacker on the local network can perform a brute-force attack to obtain the AuthValue and authenticate to both the Provisioner and provisioned devices.


5) Improper Authentication (CVE-ID: CVE-2020-26556)

The vulnerability allows a local attacker to bypass authentication process.

The vulnerability exists due to a flaw in the authentication protocol. An attacker with physical access can identify the AuthValue used before the provisioning procedure times out, complete the provisioning operation and obtain a NetKey.


6) Security features bypass (CVE-ID: N/A)

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to the issue within the Authentication of the Bluetooth LE legacy pairing protocol. An attacker with physical access can reflect the confirmation and random numbers of a peer device in LE legacy pairing to successfully complete legacy authentication phase 2 without knowledge of the temporary key (TK).


7) Security features bypass (CVE-ID: CVE-2020-26558)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to an impersonation in the Passkey Entry protocol flaw. A remote attacker on the local network can perform a man-in-the-middle (MITM) attack and impersonate the initiating device without any previous knowledge.

Note: This vulnerability affects the following specifications:

  • BR/EDR Secure Simple Pairing in Bluetooth Core Specifications 2.1 through 5.2
  • BR/EDR Secure Connections Pairing in Bluetooth Core Specifications 4.1 through 5.2 
  • LE Secure Connections Pairing in Bluetooth Core Specifications 4.2 through 5.2


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References