CVE-2019-15948 - OpenCVE

Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller devices, when LE scan mode is used, allow remote attackers to trigger a buffer overflow via a malformed Bluetooth Low Energy advertising packet, to cause a denial of service or potentially execute arbitrary code. This affects CC256xC-BT-SP 1.2, CC256xB-BT-SP 1.8, and WL18xx-BT-SP 4.4.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ti	Cc256xc-bt-sp Cc256xb-bt-sp Wl18xx-bt-sp Firmware Cc256xb-bt-sp Firmware Wl18xx-bt-sp Cc256xc-bt-sp Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ti:cc256xc-bt-sp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ti:cc256xc-bt-sp:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ti:cc256xb-bt-sp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ti:cc256xb-bt-sp:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:ti:wl18xx-bt-sp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ti:wl18xx-bt-sp:-:*:*:*:*:*:*:*

References

Link	Resource
https://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/856161	Third Party Advisory
https://github.com/darkmentorllc/jackbnimble/blob/master/host/pocs/ti_wl18xx_adv_rce.py
https://github.com/darkmentorllc/publications/tree/master/2020/TI_SILABS_BLE_RCEs
https://www.linkedin.com/in/veronica-kovah-2587185	Not Applicable
https://www.youtube.com/watch?v=bk5lOxieqbA

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-13T15:06:29

Updated: 2020-08-18T19:50:32

Reserved: 2019-09-05T00:00:00

Link: CVE-2019-15948

JSON object: View

NVD Information

Status : Modified

Published: 2019-11-13T16:15:11.050

Modified: 2020-08-18T20:15:11.137

Link: CVE-2019-15948

JSON object: View

Redhat Information

No data.

CWE

CWE-120

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller devices, when LE scan mode is used, allow remote attackers to trigger a buffer overflow via a malformed Bluetooth Low Energy advertising packet, to cause a denial of service or potentially execute arbitrary code. This affects CC256xC-BT-SP 1.2, CC256xB-BT-SP 1.8, and WL18xx-BT-SP 4.4."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-18T19:50:32", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.linkedin.com/in/veronica-kovah-2587185"}, {"tags": ["x_refsource_MISC"], "url": "https://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/856161"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/darkmentorllc/publications/tree/master/2020/TI_SILABS_BLE_RCEs"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/darkmentorllc/jackbnimble/blob/master/host/pocs/ti_wl18xx_adv_rce.py"}, {"tags": ["x_refsource_MISC"], "url": "https://www.youtube.com/watch?v=bk5lOxieqbA"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-15948", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller devices, when LE scan mode is used, allow remote attackers to trigger a buffer overflow via a malformed Bluetooth Low Energy advertising packet, to cause a denial of service or potentially execute arbitrary code. This affects CC256xC-BT-SP 1.2, CC256xB-BT-SP 1.8, and WL18xx-BT-SP 4.4."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.linkedin.com/in/veronica-kovah-2587185", "refsource": "MISC", "url": "https://www.linkedin.com/in/veronica-kovah-2587185"}, {"name": "https://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/856161", "refsource": "MISC", "url": "https://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/856161"}, {"name": "https://github.com/darkmentorllc/publications/tree/master/2020/TI_SILABS_BLE_RCEs", "refsource": "MISC", "url": "https://github.com/darkmentorllc/publications/tree/master/2020/TI_SILABS_BLE_RCEs"}, {"name": "https://github.com/darkmentorllc/jackbnimble/blob/master/host/pocs/ti_wl18xx_adv_rce.py", "refsource": "MISC", "url": "https://github.com/darkmentorllc/jackbnimble/blob/master/host/pocs/ti_wl18xx_adv_rce.py"}, {"name": "https://www.youtube.com/watch?v=bk5lOxieqbA", "refsource": "MISC", "url": "https://www.youtube.com/watch?v=bk5lOxieqbA"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-15948", "datePublished": "2019-11-13T15:06:29", "dateReserved": "2019-09-05T00:00:00", "dateUpdated": "2020-08-18T19:50:32", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ti:cc256xc-bt-sp_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FB29E68-8C4C-4360-9FA6-D96C7E6C6FF5", "versionEndIncluding": "1.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ti:cc256xc-bt-sp:-:*:*:*:*:*:*:*", "matchCriteriaId": "73BD86B3-CEC4-470A-95DB-94B9606E120C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ti:cc256xb-bt-sp_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DCE50D0-6B03-4FB4-934E-E1B6ABBAB2C8", "versionEndIncluding": "1.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ti:cc256xb-bt-sp:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD9B5898-B0F4-4363-BC67-6FE008FAFD9A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ti:wl18xx-bt-sp_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1BADC83A-03D1-43C0-AF5E-CEC5B0FD7BFD", "versionEndIncluding": "4.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ti:wl18xx-bt-sp:-:*:*:*:*:*:*:*", "matchCriteriaId": "792E98CF-6A8B-4B19-BA5A-AF74C91FBB39", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller devices, when LE scan mode is used, allow remote attackers to trigger a buffer overflow via a malformed Bluetooth Low Energy advertising packet, to cause a denial of service or potentially execute arbitrary code. This affects CC256xC-BT-SP 1.2, CC256xB-BT-SP 1.8, and WL18xx-BT-SP 4.4."}, {"lang": "es", "value": "Los dispositivos controladores de Bluetooth modo dual Texas Instruments CC256x y WL18xx, cuando se utiliza el modo de escaneo LE, permiten a atacantes remotos desencadenar un desbordamiento del b\u00fafer por medio de un paquete de publicidad Bluetooth Low Energy malformado, para causar una denegaci\u00f3n de servicio o potencialmente ejecutar c\u00f3digo arbitrario. Esto afecta a CC256xC-BT-SP versi\u00f3n 1.2, CC256xB-BT-SP versi\u00f3n 1.8 y WL18xx-BT-SP versi\u00f3n 4.4."}], "id": "CVE-2019-15948", "lastModified": "2020-08-18T20:15:11.137", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-13T16:15:11.050", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/856161"}, {"source": "cve@mitre.org", "url": "https://github.com/darkmentorllc/jackbnimble/blob/master/host/pocs/ti_wl18xx_adv_rce.py"}, {"source": "cve@mitre.org", "url": "https://github.com/darkmentorllc/publications/tree/master/2020/TI_SILABS_BLE_RCEs"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://www.linkedin.com/in/veronica-kovah-2587185"}, {"source": "cve@mitre.org", "url": "https://www.youtube.com/watch?v=bk5lOxieqbA"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}