CVE-2020-26558

NameCVE-2020-26558
DescriptionBluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2689-1, DLA-2690-1, DLA-2692-1, DSA-4951-1
NVD severitymedium
Debian Bugs989614

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bluez (PTS)stretch5.43-2+deb9u2vulnerable
stretch (security)5.43-2+deb9u4fixed
buster5.50-1.2~deb10u1vulnerable
buster (security)5.50-1.2~deb10u2fixed
bullseye5.55-3.1fixed
bookworm, sid5.61-1fixed
linux (PTS)stretch4.9.228-1vulnerable
stretch (security)4.9.272-2fixed
buster4.19.194-1fixed
buster (security)4.19.194-3fixed
bookworm, sid, bullseye5.10.46-4fixed
linux-4.19 (PTS)stretch (security)4.19.194-3~deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bluezsourcestretch5.43-2+deb9u4DLA-2692-1
bluezsourcebuster5.50-1.2~deb10u2DSA-4951-1
bluezsource(unstable)5.55-3.1989614
linuxsourcestretch4.9.272-1DLA-2689-1
linuxsourcebuster4.19.194-1
linuxsource(unstable)5.10.40-1
linux-4.19sourcestretch4.19.194-1~deb9u1DLA-2690-1

Notes

https://kb.cert.org/vuls/id/799380
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/passkey-entry/
https://bugzilla.redhat.com/show_bug.cgi?id=1918602
https://git.kernel.org/linus/6d19628f539fccf899298ff02ee4c73e4bf6df3f
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738

Search for package or bug name: Reporting problems