The Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1 Mesh Provisioning procedure could allow an attacker without knowledge of the AuthValue, spoofing a device being provisioned, to use crafted responses to appear to possess the AuthValue and be issued a valid NetKey and potentially an AppKey. For this attack to be successful, an attacking device needs to be within wireless range of a Mesh Provisioner and either spoof the identity of a device being provisioned over the air or be directly provisioned onto a subnet controlled by the provisioner. After successfully authenticating without the AuthValue, the attacker can perform any operation permitted to a node provisioned on the subnet until it is either denied access or a new subnet is formed without the attacking node present.
Created bluez tracking bugs for this issue:
Affects: fedora-all [bug 1969617]