Bug 1727857 (CVE-2019-9506)

Summary: CVE-2019-9506 hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB)
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, asavkov, bhu, blc, bnocera, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, gtiwari, hdegoede, hkrzesin, huzaifas, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mmezynsk, nmurray, plougher, pmatouse, rhandlin, rt-maint, rvrbovsk, security-response-team, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the Bluetooth protocol. An attacker within physical proximity to the Bluetooth connection could downgrade the encryption protocol to be trivially brute forced.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-08 12:51:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1743055, 1743075, 1743076, 1743077, 1743078, 1743079, 1743080, 1743081, 1743082, 1743083, 1743084, 1743085, 1743086, 1743087, 1743088, 1743461, 1743462, 1746814, 1753282, 1753283    
Bug Blocks: 1727858, 1742221    

Description Marian Rehak 2019-07-08 11:28:36 UTC
The Bluetooth BR/EDR encryption key negotiation protocol is vulnerable to packet injection that could allow an unauthenticated user to decrease the size of the entropy of the encryption key, potentially causing information disclosure and/or escalation of privileges via adjacent access. There is not currently any knowledge of this being exploited.

Note:

Not all bluetooth devices are vulnerable to this flaw. Only devices that can connect to another using BR/EDR encryption negotiation protocol.


CERT notification:
https://kb.cert.org/vuls/id/918987/

Upstream patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d5bb334a8e171b262e48f378bd2096c0ea458265
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=693cd8ce3f882524a5d06f7800dd8492411877b3
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eca94432934fe5f141d084f2e36ee2c0e614cc04

Branded site:
https://knobattack.com/

Comment 2 Huzaifa S. Sidhpurwala 2019-07-10 04:24:10 UTC
This is a flaw in the bluetooth protocol. As per the report: "The Bluetooth Special Interest Group (SIG) is in the process of adjusting the specification to mitigate this issue. They are continuing to work with controller and host vendors to implement patches once the specification is changed, so be aware that patches and additional notifications may be coming from upstream vendors. We strongly recommend that these patches are implemented when they are available. We will communicate more information in regards to this vulnerability as we receive it."

Basically seems like a hardware issue to me. 

The notice for CERT is a heads-up. We probably need to wait till we see "patches".

Comment 4 Wade Mealing 2019-08-19 01:14:49 UTC
Mitigation:

At this time there is no known mitigation if bluetooth hardware is to be continue to be used.   Replacing the hardware with its wired version and disabling bluetooth may be a suitable alternative for some environments.

Comment 5 Wade Mealing 2019-08-19 01:46:37 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1743055]

Comment 9 Wade Mealing 2019-08-19 02:55:14 UTC
This flaw is rated as important due to the possible follow-on effects.  It is likely that if the attacker could intercept bluetooth keyboard input that this data would contain password input which would be immediately leveraged for further attacks.

Comment 11 Justin M. Forbes 2019-08-19 12:41:13 UTC
This was fixed for Fedora with the 5.0.15 stable kernel updates

Comment 22 errata-xmlrpc 2019-10-08 09:59:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2975 https://access.redhat.com/errata/RHSA-2019:2975

Comment 23 Product Security DevOps Team 2019-10-08 12:51:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9506

Comment 24 errata-xmlrpc 2019-10-15 17:46:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3055 https://access.redhat.com/errata/RHSA-2019:3055

Comment 25 errata-xmlrpc 2019-10-15 17:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3076 https://access.redhat.com/errata/RHSA-2019:3076

Comment 26 errata-xmlrpc 2019-10-16 07:57:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3089 https://access.redhat.com/errata/RHSA-2019:3089

Comment 29 errata-xmlrpc 2019-10-22 10:07:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:3165 https://access.redhat.com/errata/RHSA-2019:3165

Comment 30 errata-xmlrpc 2019-10-23 09:03:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:3187 https://access.redhat.com/errata/RHSA-2019:3187

Comment 31 errata-xmlrpc 2019-10-29 12:39:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:3218 https://access.redhat.com/errata/RHSA-2019:3218

Comment 32 errata-xmlrpc 2019-10-29 12:55:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217

Comment 33 errata-xmlrpc 2019-10-29 13:12:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3220 https://access.redhat.com/errata/RHSA-2019:3220

Comment 34 errata-xmlrpc 2019-10-29 14:03:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3231 https://access.redhat.com/errata/RHSA-2019:3231

Comment 38 errata-xmlrpc 2019-11-05 20:35:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309

Comment 39 errata-xmlrpc 2019-11-05 21:06:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517

Comment 42 errata-xmlrpc 2020-01-22 21:26:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0204 https://access.redhat.com/errata/RHSA-2020:0204

Comment 45 errata-xmlrpc 2020-04-14 14:22:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:1460 https://access.redhat.com/errata/RHSA-2020:1460