CVE-2020-16630 - OpenCVE

TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile’s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:A/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ti	Easylink 15.4-stack Dynamic Multi-protocal Manager Openthread Z-stack Real-time Operating System Ble5-stack

Configuration 1 [-]

OR	cpe:2.3:a:ti:15.4-stack:-:::::::*
	cpe:2.3:a:ti:ble5-stack:-:::::::*
	cpe:2.3:a:ti:dynamic_multi-protocal_manager:-:::::::*
	cpe:2.3:a:ti:easylink:-:::::::*
	cpe:2.3:a:ti:openthread:-:::::::*
	cpe:2.3:a:ti:z-stack:-:::::::*
	cpe:2.3:o:ti:real-time_operating_system:-:::::::*

References

Link	Resource
http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html	Vendor Advisory
https://www.usenix.org/system/files/sec20-zhang-yue.pdf	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-09-20T19:20:50

Updated: 2021-09-20T19:20:50

Reserved: 2020-08-04T00:00:00

Link: CVE-2020-16630

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-20T20:15:11.337

Modified: 2021-10-07T13:13:16.507

Link: CVE-2020-16630

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "TI\u2019s BLE stack caches and reuses the LTK\u2019s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile\u2019s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-20T19:20:50", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-16630", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TI\u2019s BLE stack caches and reuses the LTK\u2019s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile\u2019s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html", "refsource": "MISC", "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"name": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf", "refsource": "MISC", "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-16630", "datePublished": "2021-09-20T19:20:50", "dateReserved": "2020-08-04T00:00:00", "dateUpdated": "2021-09-20T19:20:50", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ti:15.4-stack:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2973A2C-67E6-4064-A2A9-E4122E201DDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:ble5-stack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E161F37-86D3-4558-91B4-086528A351AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:dynamic_multi-protocal_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9951BB2-E930-4C92-B673-501591679002", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:easylink:-:*:*:*:*:*:*:*", "matchCriteriaId": "74934E63-1140-4F9B-BC05-3739E62B9DE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:openthread:-:*:*:*:*:*:*:*", "matchCriteriaId": "B3586ABB-3E4A-4BAD-B9F4-5EB6775AFEF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:z-stack:-:*:*:*:*:*:*:*", "matchCriteriaId": "BA516494-4D9A-4275-A7BA-A82699625477", "vulnerable": true}, {"criteria": "cpe:2.3:o:ti:real-time_operating_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "E289611E-871B-433E-BF10-CDABF650AAC9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "TI\u2019s BLE stack caches and reuses the LTK\u2019s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile\u2019s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission."}, {"lang": "es", "value": "La pila BLE de TI almacena en cach\u00e9 y reusa la propiedad del LTK para un m\u00f3vil vinculado. Una LTK puede ser una clave no autenticada y sin protecci\u00f3n MITM creada por Just Works o una clave autenticada y con protecci\u00f3n MITM creada por Passkey Entry, Numeric Comparison u OOB. Supongamos que un m\u00f3vil v\u00edctima usa el emparejamiento seguro para emparejarse con un dispositivo BLE v\u00edctima basado en chips TI y genera una LTK autenticada y de protecci\u00f3n MITM. Si un m\u00f3vil falso con la direcci\u00f3n MAC del m\u00f3vil v\u00edctima usa Just Works y se empareja con el dispositivo v\u00edctima, el LTK generado sigue teniendo la propiedad de autenticaci\u00f3n y protecci\u00f3n MITM. Por lo tanto, el m\u00f3vil falso puede acceder a los atributos con el permiso de lectura/escritura autenticado"}], "id": "CVE-2020-16630", "lastModified": "2021-10-07T13:13:16.507", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-20T20:15:11.337", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}