Bug 1215242 (CVE-2020-26559)

Summary: VUL-0: CVE-2020-26559: kernel-source-rt,kernel-source-azure,kernel-source,bluez: Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mhocko, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377980/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1215239
https://bugzilla.suse.com/show_bug.cgi?id=1215554
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2023-09-12 08:43:09 UTC 
CVE-2020-26559

Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may
permit a nearby device (participating in the provisioning protocol) to identify
the AuthValue used given the Provisioner’s public key, and the confirmation
number and nonce provided by the provisioning device. This could permit a device
without the AuthValue to complete provisioning without brute-forcing the
AuthValue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26559
Comment 1 Marcus Meissner 2023-09-12 08:49:25 UTC 
Joey, could you state if our software is affected and all and which?
Comment 4 Joey Lee 2023-12-12 07:57:34 UTC 
Sorry for my delay. 

I have read the IEEE paper "BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols" and confirmed that this CVE-2020-26559 equals to CVE-2020-26556 (bsc#1215239). Both of them are the M-A3 attack in the paper.
Comment 5 Joey Lee 2023-12-12 08:20:41 UTC 
After read the IEEE paper "BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols" and "Mesh Profile Bluetooth ® Specification Revision: v1.0". I set this issue to WONFIX because the M-A3 attack is against Link Manager layer in chip. And the weakness is in crypto in the Provisioning protocol. 

Kernel is NOT aware the M-A3 attack in LM layer. So I didn't see any solution or workaround can be implemented in bluez.

For remission, the mesh service already be disabled by default because boo#1151518. And bluez package has a warning document :

/usr/share/doc/packages/bluez/README-mesh.SUSE

The bluetooth-mesh dbus system config has been disabled due to security
concerns. See https://bugzilla.opensuse.org/show_bug.cgi?id=1151518 for
details.

If you want to use this feature anyway, copy
bluetooth-mesh.conf to /etc/dbus-1/systemd.d/ and
org.bluez.mesh.service to /etc/dbus-1/system-services/,
then reboot.

If anyone has better idea, just reopen and put suggestion on bug.

Thanks!