CVE-2020-26557Improper Authentication in Mesh Profile

CWE-287Improper AuthenticationCWE-863Incorrect Authorization5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.9%
top 23.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Bluetooth Mesh Profile
Timeline
PublishedMay 24
Latest updateMay 24

Description

Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time).

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

NVDbluetooth/mesh_profile1.0.0, 1.0.1+1

🔴Vulnerability Details

3
GHSA
GHSA-gprg-wq36-vj82: Mesh Provisioning in the Bluetooth Mesh profile 12022-05-24
CVEList
CVE-2020-26557: Mesh Provisioning in the Bluetooth Mesh profile 12021-05-24
OSV
CVE-2020-26557: Mesh Provisioning in the Bluetooth Mesh profile 12021-05-24

📋Vendor Advisories

1
Red Hat
kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM2021-05-24
CVE-2020-26557 — Improper Authentication | cvebase