Bug 1960009 (CVE-2020-26557)

Summary: CVE-2020-26557 kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, bmasney, bnocera, chwhite, crwood, darcari, dvlasenk, dwmw2, dzickus, hdegoede, hkrzesin, hwkernel-mgr, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, spacewar, steved, walters, wcosta, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s Bluetooth Mesh Profile implementation. The Mesh Provisioning procedure has a vulnerability that allows an attacker observing or taking part in the provisioning to brute force the AuthValue if it has a fixed value or is selected predictably or with low entropy. If successful, an attacker can identify the AuthValue and authenticate to both the Provisioner and provisioned devices, allowing a Man-in-the-Middle (MITM) attack on a future provisioning attempt with the same AuthValue. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1969609, 1969610, 1969618    
Bug Blocks: 1969593    

Description Guilherme de Almeida Suckevicz 2021-05-12 19:11:46 UTC 
The Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1 Mesh Provisioning procedure could allow an attacker observing or taking part in the provisioning to brute force the AuthValue if has a fixed value or is selected predictably or with low entropy. If successful, an attacker may be able to identify the AuthValue and authenticate to both the Provisioner and provisioned devices, permitting a MITM attack on a future provisioning attempt with the same AuthValue.
Comment 3 Rohit Keshri 2021-05-16 18:03:37 UTC 
Mitigation:

It is recommended for devices to use AuthValues containing the maximum entropy permitted (128-bits) and randomly select a new AuthValue using a secure random number generator with each new provisioning attempt.  A large entropy helps ensure that a brute-force of the AuthValue, even a static AuthValue, cannot normally be completed in a reasonable time.
Comment 18 Rohit Keshri 2021-06-08 18:40:46 UTC 
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1969618]