- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bluetooth SIG has announced some security notices on the following URL.
Please let me know if CYW20819 has the issue related to CVE-2020-26555 and CVE-2020-26558 or not.
If yes, I'd like to get the patches or workaround.
Thanks
Solved! Go to Solution.
- Labels:
-
ModusToolbox Bluetooth SDK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."
So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local.
Thanks,
-Dheeraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We will check internally and get back to you.
Thanks,
-Dheeraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I have some update?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need the information about whether CYW20819 has these vulnerabilities or not, and if yes how to fix it.
Do you have an estimated time-frame of when you expect to get these information?
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."
So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local.
Thanks,
-Dheeraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know about CVE-2020-26558 too.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you tell us about the current status?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Regarding CVE-2020-26558.
The fix should be done in both the host and controller and it is partially completed and released in the latest SDK. The complete fix for the vulnerability will be available in the upcoming BTSDK released by July End.
Thanks,
-Dheeraj