A vulnerability affecting Bluetooth BR/EDR pairing was found in the Bluetooth Core specification versions 1.0 through 5.2. The flaw could allow an attacking device to spoof the address of a previously paired remote device to successfully complete the authentication procedure with some paired/bonded devices while not possessing the link key. This can permit an attacker to initiate the Bluetooth Key Negotiation attack (KNOB) on encryption key strength without intervening in an ongoing pairing procedure through an injection attack.
Acknowledgments: Name: CERT
As per the report, for this attack to be successful several conditions are to be met: - the attacker needs to be within wireless range of a vulnerable Bluetooth device - the attacker needs to know the address of the vulnerable device - Secure Connections is not supported by the vulnerable device - Secure Connections is supported, but the attacker is able to downgrade the connection (by clearing bits in its feature mask) Even so, an attempt to establish encryption will still fail and the attacker must rely on the KNOB attack (CVE-2019-9506) to break the encryption.
Mitigation: Enforce the Secure Connections Only mode for implementations that do not require support for pairing with legacy devices. Disabling Bluetooth may be a suitable alternative for some environments, please refer to the Red Hat knowledgebase solution [1] for how to disable Bluetooth in Red Hat Enterprise Linux. [1] https://access.redhat.com/solutions/2682931
External References: https://kb.cert.org/vuls/id/647177/ https://francozappa.github.io/about-bias/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1841538]
This was fixed for Fedora with the 5.8 stable kernel rebases upstream patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3ca44c16b0dcc764b641ee4ac226909f5c421aa3