Input validation error in Intel Hardware solutions

#VU56330 Input validation error in Intel Hardware solutions

Published: 2021-09-06

Vulnerability identifier: #VU56330

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
WICED BT stack
Hardware solutions / Firmware
CYW920735Q60EVB
Hardware solutions / Firmware
Intel Wi-Fi 6 AX200
Hardware solutions / Firmware
CYW20735B1
Hardware solutions / Firmware

Vendor: Cypress Semiconductor Corporation
Intel

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the Bluetooth Classic implementations does not properly handle the reception of a malformed LMP timing accuracy response followed by multiple re-connections to the target link slave. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

WICED BT stack: 2.9.0

CYW920735Q60EVB: All versions

Intel Wi-Fi 6 AX200: All versions

External links
http://asset-group.github.io/disclosures/braktooth/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Intel Wi-Fi 6 AX200

Multiple vulnerabilities in Qualcomm Pocophone F1

Multiple vulnerabilities in Cypress CYW920735Q60EVB