CVE-2020-26556

Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.
References
Link Resource
https://kb.cert.org/vuls/id/799380 Third Party Advisory US Government Resource
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/ Vendor Advisory
https://www.kb.cert.org/vuls/id/799380 Third Party Advisory US Government Resource
Configurations

Configuration 1

cpe:2.3:a:bluetooth:mesh_profile:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:bluetooth:mesh_profile:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:bluetooth:bluetooth_core_specification:*:*:*:*:*:*:*:*

Information

Published : 2021-05-24 06:15

Updated : 2022-04-29 02:10


NVD link : CVE-2020-26556

Mitre link : CVE-2020-26556

Products Affected
No products.
CWE
CWE-307

Improper Restriction of Excessive Authentication Attempts