CVE-2020-12856 — Packages Apps Bluetooth vulnerability

5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

10.8%

top 6.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Hardware Libhardware Platform Packages Apps Bluetooth Platform System BT +1 more

Timeline

PublishedMay 18

Latest updateMay 24

Description

OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Androidplatform/packages_apps_bluetooth11-next:0 — 11-next:2020-11-01+5

▶NVDhealth/covidsafe1.0.17

▶Androidplatform/system_bt11-next:0 — 11-next:2020-11-01+5

▶Androidplatform/hardware_libhardware8.0:0 — 8.0:2020-11-01+1

🔴Vulnerability Details

GHSA

GHSA-9q2w-3c47-gq6j: OpenTrace, as used in COVIDSafe through v1↗2022-05-24

▶

OSV

CVE-2020-12856: In smp_decide_association_model of smp_act↗2020-11-01

▶

CVEList

CVE-2020-12856: OpenTrace, as used in COVIDSafe through v1↗2020-05-18

▶

📋Vendor Advisories

Android

CVE-2020-12856: Android Security Bulletin 2020-11-01 CVE: CVE-2020-12856 Severity: HIGH Type: EoP Affected AOSP versions: 8↗2020-11-01

▶