Bug 1832216 (CVE-2020-10134) - CVE-2020-10134 bluetooth: Method Confusion Pairing Vulnerability in LE Secure Connections and BR/EDR Secure Simple Pairing
Summary: CVE-2020-10134 bluetooth: Method Confusion Pairing Vulnerability in LE Secure...
Alias: CVE-2020-10134
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1835303 1835304 1841544 1910510
Blocks: 1821831
TreeView+ depends on / blocked
Reported: 2020-05-06 10:51 UTC by Mauro Matteo Cascella
Modified: 2023-09-03 11:00 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the Bluetooth protocol affecting the Bluetooth LE Secure Connections pairing and the BR/EDR Secure Simple Pairing. An attacker with physical access to the Bluetooth connection could perform a man-in-the-middle attack between two devices using the Numeric Comparison and Passkey pairing association models. This attack may result in the man-in-the-middle becoming authenticated with the attacked devices and being able to initiate any Bluetooth operation exposed by the enabled Bluetooth profiles.
Clone Of:
Last Closed: 2021-10-28 10:59:47 UTC

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-05-06 10:51:08 UTC
A vulnerability affecting Bluetooth LE Secure Connections was found in the Bluetooth Core specification versions 4.0 through 5.2 and BR/EDR Secure Simple Pairing in the Bluetooth Core specification versions 2.1 through 5.2. The flaw could allow an attacking device to successfully intercede as a man-in-the-middle (MITM) between two pairing devices. To do this, the attacker must negotiate a numeric compare procedure with one device and a passkey pairing procedure with the other, and the user must erroneously enter the numeric compare value as the passkey and accept pairing on the numeric compare device.

Comment 1 Mauro Matteo Cascella 2020-05-07 16:32:00 UTC
As per the report: "For this attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing either an LE or a BR/EDR encrypted connection without existing shared credentials (LTK or link key). At least one device must permit entry of a passkey, and the other must support a display capable of representing six decimal digits."

In the BR/EDR Secure Simple Pairing scenario, only devices operating as a keyboard for the purposes of pairing may be used to enter the passkey, thus partially lowering the exposure of the flaw.

Comment 3 Mauro Matteo Cascella 2020-05-07 16:41:51 UTC

Name: CERT

Comment 5 Mauro Matteo Cascella 2020-05-13 15:02:29 UTC

Use the Out of Band (OOB) pairing mechanism if possible. Disabling Bluetooth may be a suitable alternative for some environments, please refer to the Red Hat knowledgebase solution [1] for how to disable Bluetooth in Red Hat Enterprise Linux.

[1] https://access.redhat.com/solutions/2682931

Comment 9 Mauro Matteo Cascella 2020-05-29 12:30:08 UTC
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1841544]

Note You need to log in before you can comment on or make changes to this bug.