Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob

Security Bulletin: BLE Security Vulnerabilities CVE-2019-16336 and CVE-2019-17061

Security Bulletin: BLE Security Vulnerabilities CVE-2019-16336 and CVE-2019-17061

SaraLeslie
Community Manager
Community Manager
Community Manager
250 sign-ins 100 sign-ins 50 likes received

Cypress has reviewed recent reports on BLE security vulnerabilities outlined in CVE-2019-16336 and

CVE-2019-17061. Our customers can receive updates by creating a support case through our secure

support portal or by contacting their Cypress representative.

 

If you believe you have identified a vulnerability in any Cypress product, please visit our security

response page and email the Product Security Incident Response Team (PSIRT) at psirt@cypress.com.

0 Likes
1064 Views
4 Comments
ToWe_1673171
Level 2
Level 2
10 replies posted First comment on blog 5 replies posted

Hi SaraL_86 I tried to open a support case at https://cypress.force.com/customer but it took me back to CDC3.

According to nist.gov, versions up to 3.62 is vulnerable to NVD - CVE-2019-17061 , and up to 3.61 is vulnerable to NVD - CVE-2019-16336 .

I suppose by 3.62 and 3.61, they mean the BLE component versions.

The latest PSoC Creator BLE Component available is 3.63, released on Oct 30, 2019. Could you confirm that 3.63 is immune to both vulnerabilities? We are a medical device manufacturer and need the status on file. Thanks!!

--Tony

SaraLeslie
Community Manager
Community Manager
Community Manager
250 sign-ins 100 sign-ins 50 likes received

Hello Tony,

I have escalated this. Thank you for your detailed response here. I will track this and make sure we get the right team following up.

Sara

Yugandhar
Moderator
Moderator
Moderator
500 solutions authored 1000 replies posted 5 likes given

Hello ToWe_1673171 ,

Yes, 3.62 and 3.61 are Cypress PSoC 4 BLE Component versions.

Link Layer Length Overflow attack(CVE-2019-16336) is not completely fixed in BLE component v3.63. We are presently fixing the bugs/additional vulnerabilities in BLE Stack 3.64 which will be released as part of component v3.64 soon (testing is in progress). Once the component is released, we request you to upgrade to that new component.

Thanks,
P Yugandhar.

ToWe_1673171
Level 2
Level 2
10 replies posted First comment on blog 5 replies posted

The release notes of 3.64 clearly indicate that both vulnerabilities are fixed -- exactly what I need. Good job!!

Thanks,

--Tony

Authors