1215242 – (CVE-2020-26559) VUL-0: CVE-2020-26559: kernel-source-rt,kernel-source-azure,kernel-source,bluez: Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the

Bug 1215242 (CVE-2020-26559) - VUL-0: CVE-2020-26559: kernel-source-rt,kernel-source-azure,kernel-source,bluez: Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the

Summary: VUL-0: CVE-2020-26559: kernel-source-rt,kernel-source-azure,kernel-source,blu...

Status:	RESOLVED WONTFIX

Alias:	CVE-2020-26559

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/377980/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-09-12 08:43 UTC by Marcus Meissner
Modified:	2023-12-12 08:25 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2020-26556 1215554
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2023-09-12 08:43:09 UTC

CVE-2020-26559

Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may
permit a nearby device (participating in the provisioning protocol) to identify
the AuthValue used given the Provisioner’s public key, and the confirmation
number and nonce provided by the provisioning device. This could permit a device
without the AuthValue to complete provisioning without brute-forcing the
AuthValue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26559

Comment 1 Marcus Meissner 2023-09-12 08:49:25 UTC

Joey, could you state if our software is affected and all and which?

Comment 4 Joey Lee 2023-12-12 07:57:34 UTC

Sorry for my delay. 

I have read the IEEE paper "BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols" and confirmed that this CVE-2020-26559 equals to CVE-2020-26556 (bsc#1215239). Both of them are the M-A3 attack in the paper.

Comment 5 Joey Lee 2023-12-12 08:20:41 UTC

After read the IEEE paper "BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols" and "Mesh Profile Bluetooth ® Specification Revision: v1.0". I set this issue to WONFIX because the M-A3 attack is against Link Manager layer in chip. And the weakness is in crypto in the Provisioning protocol. 

Kernel is NOT aware the M-A3 attack in LM layer. So I didn't see any solution or workaround can be implemented in bluez.

For remission, the mesh service already be disabled by default because boo#1151518. And bluez package has a warning document :

/usr/share/doc/packages/bluez/README-mesh.SUSE

The bluetooth-mesh dbus system config has been disabled due to security
concerns. See https://bugzilla.opensuse.org/show_bug.cgi?id=1151518 for
details.

If you want to use this feature anyway, copy
bluetooth-mesh.conf to /etc/dbus-1/systemd.d/ and
org.bluez.mesh.service to /etc/dbus-1/system-services/,
then reboot.

If anyone has better idea, just reopen and put suggestion on bug.

Thanks!