The Mesh Provisioning procedure described in the Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1 could allow an attacker that was provisioned without access to the AuthValue to identify the AuthValue directly without brute-forcing its value. Even when a randomly generated AuthValue with a full 128-bits of entropy is used, an attacker acquiring the Provisioner’s public key, provisioning confirmation value, and provisioning random value and providing its public key for use in the provisioning procedure will be able to directly compute the AuthValue used.
Created bluez tracking bugs for this issue: Affects: fedora-all [bug 1969615]