CVE-2019-9506
Vulnerability Summary
Timeline
Description
The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.
CVSS Metrics
- v3.1•HIGH•Score: 8.1CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- v3.0•HIGH•Score: 7.6CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
- v2.0•MEDIUM•Score: 4.8AV:A/AC:L/Au:N/C:P/I:P/A:N
EPSS Trends
Current EPSS score: 4.15%• Percentile: 89%
Techniques & Countermeasures
- CWE-327•Use of a Broken or Risky Cryptographic Algorithm
The product uses a broken or risky cryptographic algorithm or protocol.
- CWE-310•Cryptographic Issues
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Affected Systems
- apple•iphone_os
12.4
- apple•mac_os_x
10.12.6 | 10.13.6 | 10.14.5
- apple•tvos
12.4
- apple•watchos
5.3
- bluetooth•br/edr
5.1
- canonical•ubuntu_linux
16.04 | 18.04 | 19.04
- debian•debian_linux
8.0
- google•android
na
- huawei•alp-al00b
< 9.1.0.333\(c00e333r2p1t8\)
- huawei•ares-al00b_firmware
< 9.1.0.160\(c00e160r2p5t8\)
- huawei•ares-al10d_firmware
< 9.1.0.160\(c00e160r2p5t8\)
- huawei•ares-tl00c_firmware
< 9.1.0.165\(c01e165r2p5t8\)
- huawei•asoka-al00ax_firmware
< 9.1.1.181\(c00e48r6p1\)
- huawei•atomu-l33_firmware
< 8.0.0.147\(c605custc605d1\)
- huawei•atomu-l41_firmware
< 8.0.0.153\(c461custc461d1\)
- huawei•atomu-l42_firmware
< 8.0.0.155\(c636custc636d1\)
- huawei•barca-al00_firmware
< 8.0.0.366\(c00\)
- huawei•berkeley-al20
< 9.1.0.333\(c00e333r2p1t8\)
- huawei•berkeley-l09
< 9.1.0.332\(c432e5r1p13t8\) | < 9.1.0.350\(c10e3r1p14t8\) | < 9.1.0.350\(c636e4r1p13t8\)
- huawei•berkeley-tl10_firmware
< 9.1.0.333\(c01e333r1p1t8\)
- huawei•bla-al00b
< 9.1.0.329\(c786e320r2p1t8\)
- huawei•bla-l29c
< 9.1.0.300\(c605e2r1p12t8\) | < 9.1.0.306\(c185e2r1p13t8\) | < 9.1.0.306\(c432e4r1p11t8\) | < 9.1.0.306\(c636e2r1p13t8\) | < 9.1.0.307\(c635e4r1p13t8\)
- huawei•bla-tl00b_firmware
< 9.1.0.329\(c01e320r1p1t8\)
- huawei•cairogo-l22_firmware
< cairogo-l22c461b153
- huawei•charlotte-l29c
< 9.1.0.311\(c605e2r1p11t8\) | < 9.1.0.325\(c185e4r1p11t8\) | < 9.1.0.325\(c636e2r1p12t8\) | < 9.1.0.328\(c432e5r1p9t8\) | < 9.1.0.328\(c782e10r1p9t8\)
- huawei•columbia-al10b
< 9.1.0.333\(c00e333r1p1t8\)
- huawei•columbia-al10i_firmware
< 9.1.0.335\(c675e8r1p9t8\)
- huawei•columbia-l29d
< 9.1.0.350\(c10e5r1p14t8\) | < 9.1.0.350\(c185e3r1p12t8\) | < 9.1.0.350\(c461e3r1p11t8\) | < 9.1.0.350\(c636e3r1p13t8\) | < 9.1.0.351\(c432e5r1p13t8\)
- huawei•columbia-tl00d_firmware
< 8.1.0.186\(c01gt\)
- huawei•cornell-al00a
< 9.1.0.333\(c00e333r1p1t8\)
- huawei•cornell-al00i_firmware
< 9.1.0.363\(c675e3r1p9t8\)
- huawei•cornell-al00ind_firmware
< 8.2.0.141\(c675custc675d1gt\)
- huawei•cornell-al10ind_firmware
< 9.1.0.363\(c675e2r1p9t8\)
- huawei•cornell-l29a
< 9.1.0.336\(c636e2r1p12t8\) | < 9.1.0.341\(c185e1r1p9t8\) | < 9.1.0.342\(c461e1r1p9t8\) | < 9.1.0.347\(c432e1r1p9t8\)
- huawei•cornell-tl10b_firmware
< 9.1.0.333\(c01e333r1p1t8\)
- huawei•dubai-al00a_firmware
< 8.2.0.190\(c00r2p2\)
- huawei•dura-al00a_firmware
< 1.0.0.182\(c00\)
- huawei•dura-tl00a_firmware
< 1.0.0.176\(c01\)
- huawei•emily-l29c
8.1.0.156\(c605\) | < 9.1.0.311\(c461e2r1p11t8\) | < 9.1.0.325\(c185e2r1p12t8\) | < 9.1.0.325\(c636e7r1p13t8\) | < 9.1.0.326\(c635e2r1p11t8\) | < 9.1.0.328\(c432e7r1p11t8\)
- huawei•ever-l29b
< 9.1.0.338\(c185e3r3p1\)
- huawei•figo-l23
< 9.1.0.160\(c605e6r1p5t8\)
- huawei•figo-l31
8.0.0.122d\(c652\) | < 9.1.0.122\(c09e7r1p5t8\) | < 9.1.0.137\(c33e8r1p5t8\) | < 9.1.0.137\(c530e8r1p5t8\) | < 9.1.0.158\(c432e8r1p5t8\) | < 9.1.0.165\(c10e8r1p5t8\)
- huawei•figo-tl10b_firmware
< 9.1.0.130\(c01e115r2p8t8\)
- huawei•florida-al20b_firmware
< 9.1.0.128\(c00e112r1p6t8\)
- huawei•florida-l21
< 9.1.0.150\(c185e6r1p5t8\) | < 9.1.0.150\(c432e6r1p5t8\)
- huawei•florida-l22
< 9.1.0.150\(c636e6r1p5t8\)
- huawei•florida-l23
< 9.1.0.154\(c605e7r1p2t8\)
- huawei•florida-tl10b_firmware
< 9.1.0.128\(c01e112r1p6t8\)
- huawei•harry-al00c_firmware
na
- huawei•harry-al10b_firmware
na
Showing first 50 affected entries in server-rendered view.
References (30)
- https://www.kb.cert.org/vuls/id/918987/
- http://www.cs.ox.ac.uk/publications/publication12404-abstract.html
- https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli
- https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
- http://seclists.org/fulldisclosure/2019/Aug/14
- http://seclists.org/fulldisclosure/2019/Aug/11
- http://seclists.org/fulldisclosure/2019/Aug/13
- http://seclists.org/fulldisclosure/2019/Aug/15
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190828-01-knob-en
- https://usn.ubuntu.com/4115-1/
- https://usn.ubuntu.com/4118-1/
- https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
- https://usn.ubuntu.com/4147-1/
- https://access.redhat.com/errata/RHSA-2019:2975
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html
- https://access.redhat.com/errata/RHSA-2019:3076
- https://access.redhat.com/errata/RHSA-2019:3055
- https://access.redhat.com/errata/RHSA-2019:3089
- https://access.redhat.com/errata/RHSA-2019:3187
- https://access.redhat.com/errata/RHSA-2019:3165
- https://access.redhat.com/errata/RHSA-2019:3217
- https://access.redhat.com/errata/RHSA-2019:3220
- https://access.redhat.com/errata/RHSA-2019:3231
- https://access.redhat.com/errata/RHSA-2019:3218
- https://access.redhat.com/errata/RHSA-2019:3309
- https://access.redhat.com/errata/RHSA-2019:3517
- https://access.redhat.com/errata/RHSA-2020:0204