Attackers may abuse vulnerabilities found within the Bluetooth Core and Mesh Profile specs to impersonate official gadgets through the pairing course of and launch man-in-the-middle (MitM) assaults.
The Bluetooth Core and Mesh Profile specs outline necessities wanted by Bluetooth gadgets to speak with one another and for Bluetooth gadgets utilizing low vitality wi-fi expertise to allow interoperable mesh networking options.
Efficiently exploiting the vulnerabilities discovered and reported by researchers on the Agence nationale de la sécurité des systèmes d’info (ANSSI), may allow the attackers to launch MitM assaults whereas inside wi-fi vary of susceptible gadgets.
The Bluetooth Particular Curiosity Group (Bluetooth SIG), the group overseeing the event of Bluetooth requirements, additionally issued security advisories earlier as we speak, offering suggestions for every of the seven safety flaws impacting the 2 susceptible specs.
Detailed info on the found vulnerabilities, together with the affected Bluetooth specs and hyperlinks to Bluetooth SIG advisories and proposals, is offered within the desk embedded under.
“The Bluetooth SIG can be broadly speaking particulars on this vulnerability and its cures to our member corporations and is encouraging them to quickly combine any obligatory patches,” the group said.
“As all the time, Bluetooth customers ought to guarantee they’ve put in the newest beneficial updates from gadget and working system producers.”
VU#799380: Gadgets supporting Bluetooth Core and Mesh Specs are susceptible to impersonation assaults and AuthValue disclosure https://t.co/qKx4Of6L9V
— US-CERT (@USCERT_gov) May 24, 2021
Impacted distributors work on patching the issues
The Android Open Supply Mission (AOSP), Cisco, Intel, Pink Hat, Microchip Know-how, and Cradlepoint are among the many distributors recognized to date with merchandise impacted by these safety flaws, in line with the Carnegie Mellon CERT Coordination Center (CERT/CC).
AOSP is engaged on publishing safety updates to deal with the CVE-2020-26555 and CVE-2020-26558 vulnerabilities affecting Android gadgets.
“Android has assessed this situation as Excessive severity for Android OS and will likely be issuing a patch for this vulnerability in an upcoming Android safety bulletin,” AOSP told CERT/CC.
Cisco can be engaged on patching the CVE-2020-26555 and CVE-2020-26558 points impacting its merchandise.
“Cisco is monitoring these vulnerabilities by way of incident PSIRT-0503777710,” the corporate stated.
“Cisco has investigated the impression of the aforementioned Bluetooth Specification vulnerabilities and is at the moment ready for all the person product improvement groups to supply Software program fixes to deal with them.”
Though affected by a few of the flaws, Intel, Pink Hat, and Cradlepoint didn’t present statements to CERT/CC earlier than the vulnerabilities had been disclosed.