1879820 – (CVE-2020-9770) CVE-2020-9770 bluez: BLESA bluetooth attack

Bug 1879820 (CVE-2020-9770) - CVE-2020-9770 bluez: BLESA bluetooth attack

Summary: CVE-2020-9770 bluez: BLESA bluetooth attack

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-9770
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1879823 1879824 1882204 1910509
Blocks:	1879782
TreeView+	depends on / blocked

Reported:	2020-09-17 06:08 UTC by Doran Moppert
Modified:	2023-09-03 11:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-28 05:02:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Doran Moppert 2020-09-17 06:08:21 UTC

An authentication bypass in the Bluetooth Low Energy (BLE) protocol could enable physically proximate attackers to impersonate trusted bluetooth devices.

External references:

https://www.usenix.org/system/files/woot20-paper-wu-updated.pdf

Comment 5 Doran Moppert 2020-09-24 03:41:23 UTC

Statement:

The research paper describes that Bluetooth Low Energy connections managed through `bluetoothctl` control or via D-Bus API are not vulnerable to this attack as they strictly follow the proactive authentication specification.  Connections that are managed by `gatttool` are among those that may be vulnerable.

Comment 6 Doran Moppert 2020-09-24 03:41:25 UTC

Mitigation:

Bluetooth Low Energy can be disabled altogether if it is not required, using the configuration below.  This will prevent BLE devices from connecting with the host, disabling this attack

```ControllerMode=bredr```

Comment 7 Doran Moppert 2020-09-24 03:44:17 UTC

Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1882204]

Note You need to log in before you can comment on or make changes to this bug.