{ "threat_severity" : "Moderate", "public_date" : "2021-05-24T16:00:00Z", "bugzilla" : { "description" : "kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM", "id" : "1960009", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1960009" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "details" : [ "Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).", "A flaw was found in the Linux kernel’s Bluetooth Mesh Profile implementation. The Mesh Provisioning procedure has a vulnerability that allows an attacker observing or taking part in the provisioning to brute force the AuthValue if it has a fixed value or is selected predictably or with low entropy. If successful, an attacker can identify the AuthValue and authenticate to both the Provisioner and provisioned devices, allowing a Man-in-the-Middle (MITM) attack on a future provisioning attempt with the same AuthValue. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability." ], "statement" : "Red Hat Product Security is aware of this issue and is currently assessing the impact on Red Hat supported products. Corresponding entry in the Red Hat CVE database (https://access.redhat.com/security/security-updates/#/cve) will be updated with latest information as the assessment progresses.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "bluez", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "bluez", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-alt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "bluez", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "bluez", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-26557\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26557" ], "name" : "CVE-2020-26557", "mitigation" : { "value" : "It is recommended for devices to use AuthValues containing the maximum entropy permitted (128-bits) and randomly select a new AuthValue using a secure random number generator with each new provisioning attempt. A large entropy helps ensure that a brute-force of the AuthValue, even a static AuthValue, cannot normally be completed in a reasonable time.", "lang" : "en:us" }, "csaw" : false }