TLP:RED, under embargo until 13 August 2019
This email contains predisclosure information about a vulnerability in the Bluetooth BR/EDR Bluetooth Core specification versions 1.0 through 5.1 that is identified as CVE-2019-9506. The Bluetooth BR/EDR encryption key negotiation protocol is vulnerable to packet injection that could allow an unauthenticated user to decrease the size of the entropy of the encryption key, potentially causing information disclosure and/or escalation of privileges via adjacent access. There is not currently any knowledge of this being exploited.
The Bluetooth Special Interest Group (SIG) is in the process of adjusting the specification to mitigate this issue. They are continuing to work with controller and host vendors to implement patches once the specification is changed, so be aware that patches and additional notifications may be coming from upstream vendors. We strongly recommend that these patches are implemented when they are available. We will communicate more information in regards to this vulnerability as we receive it.
Vulnerability Analysis Team
CERT Coordination Center
www.cert.org / email@example.com
Further investigation into the Zephyr documentation suggests BR/EDR support, so that will be affected by this.
Created Zephyr ticket to track problem: https://github.com/zephyrproject-rtos/zephyr/issues/18658
In discussions with the BT working group, the initial feedback was to remove the BR/EDR support from Zephyr. Bose stepped up and said they wanted to keep BR/EDR support in Zephyr and that they would volunteer to support it. Likely someone from Bose will take on the work.
Fixed in v1.14 with
Can we close this issue since there are fixes released?