CVE-2020-26556

Published: May 24, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.

Affected (3)

Products: Bluetooth: Bluetooth Core Specification, Mesh Profile

2 products

Bluetooth Core Specification

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Bluetooth Bluetooth Core Specification	From 1.0b to 5.2
Bluetooth Mesh Profile	Version 1.0.0
Bluetooth Mesh Profile	Version 1.0.1

Related CWEs

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (6)

https://kb.cert.org/vuls/id/799380

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/

Source: cve@mitre.org

Vendor Advisory

https://www.kb.cert.org/vuls/id/799380

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://kb.cert.org/vuls/id/799380

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.kb.cert.org/vuls/id/799380

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.