Security Advisory - Improper Authentication Vulnerability in Bluetooth Affect Several Huawei Products

2020-08-0500:00:00

Huawei Technologies

www.huawei.com

157

5.4 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

4.8 Medium

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:L/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

45.6%

JSON

There is an improper authentication vulnerability in Bluetooth affect several Huawei products. Legacy pairing and secure-connections pairing authentication in Bluetooth® BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. (Vulnerability ID: HWPSIRT-2020-04109)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-10135.

Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200805-01-bluetooth-en

CPENameOperatorVersion
ares-al00blt9.1.0.165
ares-al10dlt9.1.0.165
columbia-al10blt9.1.0.333
columbia-al10ilt9.1.0.335
columbia-l29dlt9.1.0.352
columbia-l29dlt9.1.0.355
cornell-al00indlt9.1.0.336
cornell-tl10blt9.1.0.336
dura-al00alt1.0.0.190
dura-tl00alt1.0.0.184

Name	Operator	Version
ares-al00b	lt	9.1.0.165
ares-al10d	lt	9.1.0.165
columbia-al10b	lt	9.1.0.333
columbia-al10i	lt	9.1.0.335
columbia-l29d	lt	9.1.0.352
columbia-l29d	lt	9.1.0.355
cornell-al00ind	lt	9.1.0.336
cornell-tl10b	lt	9.1.0.336
dura-al00a	lt	1.0.0.190
dura-tl00a	lt	1.0.0.184