CVE Vulnerability

CVE-2020-11957

The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing.

5.4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 5.5 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.cypress.com/file/504466/download Product Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:cypress:psoc_4.2_ble:*:*:*:*:*:*:*:*
Information

Published : 2020-06-09 07:15

Updated : 2020-06-22 01:42

NVD link : CVE-2020-11957

Mitre link : CVE-2020-11957

Products Affected
No products.
CWE
CWE-331

Insufficient Entropy