Bug 1960012 (CVE-2020-26556)

Summary: CVE-2020-26556 kernel: malleable commitment Bluetooth Mesh Provisioning
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, bmasney, bnocera, chwhite, crwood, darcari, dvlasenk, dwmw2, dzickus, hdegoede, hkrzesin, hwkernel-mgr, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, spacewar, steved, walters, wcosta, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s authentication protocol in the Bluetooth® Mesh Profile Specification. A vulnerability occurs if the AuthValue is identified during the provisioning procedure, even if the AuthValue is selected randomly. This flaw allows an attacker to identify the AuthValue used before the provisioning procedure times out, possibly completing the provisioning operation and obtaining a NetKey. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1969622, 1969623, 1969624    
Bug Blocks: 1969593    

Description Guilherme de Almeida Suckevicz 2021-05-12 19:15:26 UTC 
The authentication protocol in the Bluetooth® Mesh Profile Specification versions 1.0 and 1.0.1 is vulnerable if the AuthValue can be identified during the provisioning procedure, even if the AuthValue is selected randomly. If an attacker can identify the AuthValue used before the provisioning procedure times out, it is possible to complete the provisioning operation and obtain a NetKey.
Comment 14 Rohit Keshri 2021-06-08 18:43:39 UTC 
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1969622]
Comment 16 Rohit Keshri 2021-08-01 16:44:01 UTC 
*** Bug 1963416 has been marked as a duplicate of this bug. ***