Bluetooth BR/EDR encryption key negotiation vulnerability

Description

Greetings,

TLP:RED, under embargo until 13 August 2019

This email contains predisclosure information about a vulnerability in the Bluetooth BR/EDR Bluetooth Core specification versions 1.0 through 5.1 that is identified as CVE-2019-9506. The Bluetooth BR/EDR encryption key negotiation protocol is vulnerable to packet injection that could allow an unauthenticated user to decrease the size of the entropy of the encryption key, potentially causing information disclosure and/or escalation of privileges via adjacent access. There is not currently any knowledge of this being exploited.

The Bluetooth Special Interest Group (SIG) is in the process of adjusting the specification to mitigate this issue. They are continuing to work with controller and host vendors to implement patches once the specification is changed, so be aware that patches and additional notifications may be coming from upstream vendors. We strongly recommend that these patches are implemented when they are available. We will communicate more information in regards to this vulnerability as we receive it.

Regards,

Vulnerability Analysis Team
======================================================================
CERT Coordination Center
www.cert.org / cert@cert.org
======================================================================

Environment

None

Activity

Show:
David Brown
July 1, 2019, 4:26 PM

Further investigation into the Zephyr documentation suggests BR/EDR support, so that will be affected by this.

david leach
August 26, 2019, 5:27 PM

Created Zephyr ticket to track problem: https://github.com/zephyrproject-rtos/zephyr/issues/18658

In discussions with the BT working group, the initial feedback was to remove the BR/EDR support from Zephyr. Bose stepped up and said they wanted to keep BR/EDR support in Zephyr and that they would volunteer to support it. Likely someone from Bose will take on the work.

david leach
August 27, 2019, 1:21 PM

Fixed with

David Brown
September 3, 2019, 10:41 PM

Fixed in v1.14 with

david leach
March 4, 2020, 7:48 PM

Can we close this issue since there are fixes released?

Assignee

David Brown

Reporter

David Brown

Labels

Authorized viewers

None

CVE

None

Embargo Lift

None

Components

Affects versions

Priority

Medium
Configure