CVE-2020-26558

NameCVE-2020-26558
DescriptionBluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2689-1, DLA-2690-1, DLA-2692-1, DSA-4951-1, ELA-445-1, ELA-458-1
Debian Bugs989614

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bluez (PTS)jessie, jessie (lts)5.43-2+deb9u2~deb8u6fixed
stretch (security)5.43-2+deb9u5fixed
stretch (lts), stretch5.43-2+deb9u8fixed
buster, buster (lts)5.50-1.2~deb10u6fixed
buster (security)5.50-1.2~deb10u5fixed
bullseye5.55-3.1+deb11u1fixed
bullseye (security)5.55-3.1+deb11u2fixed
bookworm5.66-1+deb12u2fixed
bookworm (security)5.66-1+deb12u1fixed
sid, trixie5.77-1fixed
linux (PTS)jessie, jessie (lts)3.16.84-1vulnerable
stretch (security)4.9.320-2fixed
stretch (lts), stretch4.9.320-3fixed
buster (security), buster, buster (lts)4.19.316-1fixed
bullseye5.10.223-1fixed
bullseye (security)5.10.226-1fixed
bookworm6.1.106-3fixed
bookworm (security)6.1.112-1fixed
trixie6.10.11-1fixed
sid6.11.2-1fixed
linux-4.19 (PTS)stretch (security)4.19.232-1~deb9u1fixed
stretch (lts), stretch4.19.316-1~deb9u1fixed
linux-4.9 (PTS)jessie, jessie (lts)4.9.303-1~deb8u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bluezsourcejessie5.43-2+deb9u2~deb8u3ELA-445-1
bluezsourcestretch5.43-2+deb9u4DLA-2692-1
bluezsourcebuster5.50-1.2~deb10u2DSA-4951-1
bluezsource(unstable)5.55-3.1989614
linuxsourcejessie(unfixed)end-of-life
linuxsourcestretch4.9.272-1DLA-2689-1
linuxsourcebuster4.19.194-1
linuxsource(unstable)5.10.40-1
linux-4.19sourcestretch4.19.194-1~deb9u1DLA-2690-1
linux-4.9sourcejessie4.9.272-1~deb8u2ELA-458-1

Notes

https://kb.cert.org/vuls/id/799380
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/passkey-entry/
https://bugzilla.redhat.com/show_bug.cgi?id=1918602
https://git.kernel.org/linus/6d19628f539fccf899298ff02ee4c73e4bf6df3f
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738

Search for package or bug name: Reporting problems