Lucene search

K
lenovoLenovoLENOVO:PS500175-NOSID
HistorySep 10, 2018 - 9:55 p.m.

Bluetooth Pairing Key Validation - US

2018-09-1021:55:00
support.lenovo.com
654

6.8 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

4.3 Medium

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:M/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

64.2%

Lenovo Security Advisory: LEN-22233

**Potential Impact:**Information disclosure, elevation of privilege, denial of service

Severity: High

Scope of Impact: Industry-wide

**CVE Identifier:**CVE-2018-5383

Summary Description:

The Bluetooth Special Interest Group (SIG) has reported a vulnerability in the standard-specified Bluetooth Secure Simple Pairing and Bluetooth LE Secure Connections pairing processes. This could potentially allow an attacker with wireless visibility to both pairing devices, while pairing is underway, to gain a man-in-the-middle position.

This vulnerability exists only during the pairing stage, when two Bluetooth devices first find each other and establish a persistent relationship (usually setting-up a shared passcode). If the exploit was not carried out successfully during pairing, that paired relationship is not vulnerable. This is true both before and after applying the recommended mitigations.

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo’s Bluetooth adapter suppliers recommend updating to the driver and firmware versions (or newer) described for your model in the Product Impact section.

The Bluetooth SIG notes that if either device involved in a pairing operation follows the corrected standard, that pairing operation is fully protected against this vulnerability.

Prior to applying the recommended mitigations, the best way to protect yourself is to do pairing operations in as secure an environment as possible and follow typical best practices, especially not pairing in public places where other Bluetooth devices are numerous.

Product Impact:

6.8 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

4.3 Medium

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:A/AC:M/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

64.2%

Related for LENOVO:PS500175-NOSID