CVE-2020-13593 - OpenCVE

The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation in Texas Instruments SimpleLink SIMPLELINK-CC2640R2-SDK through 2.2.3 allows the Diffie-Hellman check during the Secure Connection pairing to be skipped if the Link Layer encryption setup is performed earlier. An attacker in radio range can achieve arbitrary read/write access to protected GATT service data, cause a denial of service, or possibly control a device's function by establishing an encrypted session with an unauthenticated Long Term Key (LTK).

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ti	Simplelink-cc2640r2 Software Development Kit

Configuration 1 [-]

cpe:2.3:a:ti:simplelink-cc2640r2_software_development_kit:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.ti.com/tool/BLE-STACK	Vendor Advisory
https://asset-group.github.io/cves.html	Third Party Advisory
https://asset-group.github.io/disclosures/sweyntooth/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-08-31T14:54:16

Updated: 2020-08-31T14:54:16

Reserved: 2020-05-26T00:00:00

Link: CVE-2020-13593

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-08-31T15:15:10.493

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-13593

JSON object: View

Redhat Information

No data.

CWE

CWE-347

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation in Texas Instruments SimpleLink SIMPLELINK-CC2640R2-SDK through 2.2.3 allows the Diffie-Hellman check during the Secure Connection pairing to be skipped if the Link Layer encryption setup is performed earlier. An attacker in radio range can achieve arbitrary read/write access to protected GATT service data, cause a denial of service, or possibly control a device's function by establishing an encrypted session with an unauthenticated Long Term Key (LTK)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-31T14:54:16", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.ti.com/tool/BLE-STACK"}, {"tags": ["x_refsource_MISC"], "url": "https://asset-group.github.io/disclosures/sweyntooth/"}, {"tags": ["x_refsource_MISC"], "url": "https://asset-group.github.io/cves.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13593", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation in Texas Instruments SimpleLink SIMPLELINK-CC2640R2-SDK through 2.2.3 allows the Diffie-Hellman check during the Secure Connection pairing to be skipped if the Link Layer encryption setup is performed earlier. An attacker in radio range can achieve arbitrary read/write access to protected GATT service data, cause a denial of service, or possibly control a device's function by establishing an encrypted session with an unauthenticated Long Term Key (LTK)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.ti.com/tool/BLE-STACK", "refsource": "MISC", "url": "http://www.ti.com/tool/BLE-STACK"}, {"name": "https://asset-group.github.io/disclosures/sweyntooth/", "refsource": "MISC", "url": "https://asset-group.github.io/disclosures/sweyntooth/"}, {"name": "https://asset-group.github.io/cves.html", "refsource": "MISC", "url": "https://asset-group.github.io/cves.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13593", "datePublished": "2020-08-31T14:54:16", "dateReserved": "2020-05-26T00:00:00", "dateUpdated": "2020-08-31T14:54:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ti:simplelink-cc2640r2_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "926AFD8E-FB10-4FDC-AF8B-52C4A067E342", "versionEndIncluding": "2.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation in Texas Instruments SimpleLink SIMPLELINK-CC2640R2-SDK through 2.2.3 allows the Diffie-Hellman check during the Secure Connection pairing to be skipped if the Link Layer encryption setup is performed earlier. An attacker in radio range can achieve arbitrary read/write access to protected GATT service data, cause a denial of service, or possibly control a device's function by establishing an encrypted session with an unauthenticated Long Term Key (LTK)."}, {"lang": "es", "value": "La implementaci\u00f3n del Bluetooth Low Energy Secure Manager Protocol (SMP) en Texas Instruments SimpleLink SIMPLELINK-CC2640R2-SDK versiones hasta 2.2.3, permite omitir una comprobaci\u00f3n de Diffie-Hellman durante el emparejamiento de la Conexi\u00f3n Segura si la configuraci\u00f3n de cifrado de la capa de enlace es llevada a cabo antes. Un atacante dentro del radio de alcance puede lograr acceso arbitrario de lectura y escritura a datos de servicio protegidos por GATT, causar una denegaci\u00f3n de servicio o posiblemente controlar la funci\u00f3n de un dispositivo al establecer una sesi\u00f3n cifrada con una Long Term Key (LTK) no autenticada"}], "id": "CVE-2020-13593", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-31T15:15:10.493", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.ti.com/tool/BLE-STACK"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://asset-group.github.io/cves.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://asset-group.github.io/disclosures/sweyntooth/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}