Bug 1832216 (CVE-2020-10134)

Summary: CVE-2020-10134 bluetooth: Method Confusion Pairing Vulnerability in LE Secure Connections and BR/EDR Secure Simple Pairing
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bnocera, darcari, dwmw2, dzickus, gtiwari, hwkernel-mgr, security-response-team, spacewar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the Bluetooth protocol affecting the Bluetooth LE Secure Connections pairing and the BR/EDR Secure Simple Pairing. An attacker with physical access to the Bluetooth connection could perform a man-in-the-middle attack between two devices using the Numeric Comparison and Passkey pairing association models. This attack may result in the man-in-the-middle becoming authenticated with the attacked devices and being able to initiate any Bluetooth operation exposed by the enabled Bluetooth profiles.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:59:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1835303, 1835304, 1841544, 1910510    
Bug Blocks: 1821831    

Description Mauro Matteo Cascella 2020-05-06 10:51:08 UTC 
A vulnerability affecting Bluetooth LE Secure Connections was found in the Bluetooth Core specification versions 4.0 through 5.2 and BR/EDR Secure Simple Pairing in the Bluetooth Core specification versions 2.1 through 5.2. The flaw could allow an attacking device to successfully intercede as a man-in-the-middle (MITM) between two pairing devices. To do this, the attacker must negotiate a numeric compare procedure with one device and a passkey pairing procedure with the other, and the user must erroneously enter the numeric compare value as the passkey and accept pairing on the numeric compare device.
Comment 1 Mauro Matteo Cascella 2020-05-07 16:32:00 UTC 
As per the report: "For this attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing either an LE or a BR/EDR encrypted connection without existing shared credentials (LTK or link key). At least one device must permit entry of a passkey, and the other must support a display capable of representing six decimal digits."

In the BR/EDR Secure Simple Pairing scenario, only devices operating as a keyboard for the purposes of pairing may be used to enter the passkey, thus partially lowering the exposure of the flaw.
Comment 3 Mauro Matteo Cascella 2020-05-07 16:41:51 UTC 
Acknowledgments:

Name: CERT
Comment 5 Mauro Matteo Cascella 2020-05-13 15:02:29 UTC 
Mitigation:

Use the Out of Band (OOB) pairing mechanism if possible. Disabling Bluetooth may be a suitable alternative for some environments, please refer to the Red Hat knowledgebase solution [1] for how to disable Bluetooth in Red Hat Enterprise Linux.

[1] https://access.redhat.com/solutions/2682931
Comment 8 Mauro Matteo Cascella 2020-05-26 13:54:11 UTC 
External References:

https://kb.cert.org/vuls/id/534195/
https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/method-vulnerability/
Comment 9 Mauro Matteo Cascella 2020-05-29 12:30:08 UTC 
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1841544]