CVE-2018-5383Missing Cryptographic Step in Open Source Project Android

CWE-325Missing Cryptographic StepCWE-347Improper Verification of Cryptographic Signature31 documents13 sources
Severity
6.8MEDIUMNVD
OSV3.3
EPSS
0.2%
top 62.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Android Open Source Project AndroidApple IOSApple Macos+5 more
Timeline
PublishedAug 7
Latest updateMay 13

Description

Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages8 packages

CVEListV5apple/macos10.13 High Sierra10.13.6
NVDapple/mac_os_x< 10.13
CVEListV5android_open_source_project/androidunspecified2018-06-05 patch level
NVDgoogle/android7 versions+6

🔴Vulnerability Details

8
GHSA
GHSA-3jm5-8qwr-jvwm: Bluetooth firmware or operating system software drivers in macOS versions before 102022-05-13
OSV
linux-aws vulnerabilities2019-09-02
OSV
linux-lts-xenial, linux-aws vulnerabilities2019-08-13
OSV
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities2019-08-13
OSV
linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities2019-08-13

📋Vendor Advisories

16
Ubuntu
Linux firmware vulnerability2020-05-06
Ubuntu
Linux kernel (AWS) vulnerabilities2019-09-02
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities2019-08-13
Ubuntu
Linux kernel vulnerabilities2019-08-13
Ubuntu
Linux kernel vulnerabilities2019-08-13

🕵️Threat Intelligence

2
Sentinelone
Bluetooth Attacks | Don’t Let Your Endpoints Down2019-06-10
Sentinelone
Bluetooth Attacks | Don’t Let Your Endpoints Down2019-06-10

📄Research Papers

1
arXiv
InternalBlue - Bluetooth Binary Patching and Experimentation Framework2019-05-02

💬Community

3
Bugzilla
CVE-2018-5383 kernel: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange [fedora-all]2018-08-14
Bugzilla
CVE-2018-5383 linux-firmware: kernel: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange [fedora-all]2018-08-14
Bugzilla
CVE-2018-5383 kernel: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange2018-08-09
CVE-2018-5383 — Missing Cryptographic Step | cvebase