Bug 1727857 (CVE-2019-9506) - CVE-2019-9506 hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB)
Summary: CVE-2019-9506 hardware: bluetooth: BR/EDR encryption key negotiation attacks ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9506
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1743075 1743080 1743085 1743087 1743055 1743076 1743077 1743078 1743079 1743081 1743082 1743083 1743084 1743086 1743088 1743461 1743462 1746814 1753282 1753283
Blocks: 1742221 1727858
TreeView+ depends on / blocked
 
Reported: 2019-07-08 11:28 UTC by Marian Rehak
Modified: 2019-11-05 21:06 UTC (History)
54 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the Bluetooth protocol. An attacker within physical proximity to the Bluetooth connection could downgrade the encryption protocol to be trivially brute forced.
Clone Of:
Environment:
Last Closed: 2019-10-08 12:51:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3176 None None None 2019-10-22 14:07:17 UTC
Red Hat Product Errata RHBA-2019:3184 None None None 2019-10-23 19:19:41 UTC
Red Hat Product Errata RHBA-2019:3185 None None None 2019-10-23 19:19:52 UTC
Red Hat Product Errata RHBA-2019:3288 None None None 2019-10-31 16:53:08 UTC
Red Hat Product Errata RHSA-2019:2975 None None None 2019-10-08 09:59:52 UTC
Red Hat Product Errata RHSA-2019:3055 None None None 2019-10-15 17:46:06 UTC
Red Hat Product Errata RHSA-2019:3076 None None None 2019-10-15 17:48:39 UTC
Red Hat Product Errata RHSA-2019:3089 None None None 2019-10-16 07:57:08 UTC
Red Hat Product Errata RHSA-2019:3165 None None None 2019-10-22 10:07:17 UTC
Red Hat Product Errata RHSA-2019:3187 None None None 2019-10-23 09:03:40 UTC
Red Hat Product Errata RHSA-2019:3217 None None None 2019-10-29 12:55:46 UTC
Red Hat Product Errata RHSA-2019:3218 None None None 2019-10-29 12:39:38 UTC
Red Hat Product Errata RHSA-2019:3220 None None None 2019-10-29 13:12:10 UTC
Red Hat Product Errata RHSA-2019:3231 None None None 2019-10-29 14:03:17 UTC
Red Hat Product Errata RHSA-2019:3309 None None None 2019-11-05 20:35:42 UTC
Red Hat Product Errata RHSA-2019:3517 None None None 2019-11-05 21:06:24 UTC

Description Marian Rehak 2019-07-08 11:28:36 UTC
The Bluetooth BR/EDR encryption key negotiation protocol is vulnerable to packet injection that could allow an unauthenticated user to decrease the size of the entropy of the encryption key, potentially causing information disclosure and/or escalation of privileges via adjacent access. There is not currently any knowledge of this being exploited.

Note:

Not all bluetooth devices are vulnerable to this flaw. Only devices that can connect to another using BR/EDR encryption negotiation protocol.


CERT notification:
https://kb.cert.org/vuls/id/918987/

Upstream patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d5bb334a8e171b262e48f378bd2096c0ea458265
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=693cd8ce3f882524a5d06f7800dd8492411877b3
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eca94432934fe5f141d084f2e36ee2c0e614cc04

Branded site:
https://knobattack.com/

Comment 2 Huzaifa S. Sidhpurwala 2019-07-10 04:24:10 UTC
This is a flaw in the bluetooth protocol. As per the report: "The Bluetooth Special Interest Group (SIG) is in the process of adjusting the specification to mitigate this issue. They are continuing to work with controller and host vendors to implement patches once the specification is changed, so be aware that patches and additional notifications may be coming from upstream vendors. We strongly recommend that these patches are implemented when they are available. We will communicate more information in regards to this vulnerability as we receive it."

Basically seems like a hardware issue to me. 

The notice for CERT is a heads-up. We probably need to wait till we see "patches".

Comment 4 Wade Mealing 2019-08-19 01:14:49 UTC
Mitigation:

At this time there is no known mitigation if bluetooth hardware is to be continue to be used.   Replacing the hardware with its wired version and disabling bluetooth may be a suitable alternative for some environments.

Comment 5 Wade Mealing 2019-08-19 01:46:37 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1743055]

Comment 9 Wade Mealing 2019-08-19 02:55:14 UTC
This flaw is rated as important due to the possible follow-on effects.  It is likely that if the attacker could intercept bluetooth keyboard input that this data would contain password input which would be immediately leveraged for further attacks.

Comment 11 Justin M. Forbes 2019-08-19 12:41:13 UTC
This was fixed for Fedora with the 5.0.15 stable kernel updates

Comment 22 errata-xmlrpc 2019-10-08 09:59:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2975 https://access.redhat.com/errata/RHSA-2019:2975

Comment 23 Product Security DevOps Team 2019-10-08 12:51:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9506

Comment 24 errata-xmlrpc 2019-10-15 17:46:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3055 https://access.redhat.com/errata/RHSA-2019:3055

Comment 25 errata-xmlrpc 2019-10-15 17:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3076 https://access.redhat.com/errata/RHSA-2019:3076

Comment 26 errata-xmlrpc 2019-10-16 07:57:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3089 https://access.redhat.com/errata/RHSA-2019:3089

Comment 29 errata-xmlrpc 2019-10-22 10:07:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:3165 https://access.redhat.com/errata/RHSA-2019:3165

Comment 30 errata-xmlrpc 2019-10-23 09:03:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:3187 https://access.redhat.com/errata/RHSA-2019:3187

Comment 31 errata-xmlrpc 2019-10-29 12:39:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:3218 https://access.redhat.com/errata/RHSA-2019:3218

Comment 32 errata-xmlrpc 2019-10-29 12:55:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217

Comment 33 errata-xmlrpc 2019-10-29 13:12:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3220 https://access.redhat.com/errata/RHSA-2019:3220

Comment 34 errata-xmlrpc 2019-10-29 14:03:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3231 https://access.redhat.com/errata/RHSA-2019:3231

Comment 38 errata-xmlrpc 2019-11-05 20:35:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309

Comment 39 errata-xmlrpc 2019-11-05 21:06:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517


Note You need to log in before you can comment on or make changes to this bug.