The Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1 Mesh Provisioning procedure could allow an attacker observing or taking part in the provisioning to brute force the AuthValue if has a fixed value or is selected predictably or with low entropy. If successful, an attacker may be able to identify the AuthValue and authenticate to both the Provisioner and provisioned devices, permitting a MITM attack on a future provisioning attempt with the same AuthValue.
It is recommended for devices to use AuthValues containing the maximum entropy permitted (128-bits) and randomly select a new AuthValue using a secure random number generator with each new provisioning attempt. A large entropy helps ensure that a brute-force of the AuthValue, even a static AuthValue, cannot normally be completed in a reasonable time.
Created bluez tracking bugs for this issue:
Affects: fedora-all [bug 1969618]