Bluetooth Pairing Key Validation - US

2018-09-10T21:55:00
ID LENOVO:PS500175-NOSID
Type lenovo
Reporter Lenovo
Modified 2018-09-10T21:58:06

Description

Lenovo Security Advisory: LEN-22233

Potential Impact: Information disclosure, elevation of privilege, denial of service

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2018-5383

Summary Description:

The Bluetooth Special Interest Group (SIG) has reported a vulnerability in the standard-specified Bluetooth Secure Simple Pairing and Bluetooth LE Secure Connections pairing processes. This could potentially allow an attacker with wireless visibility to both pairing devices, while pairing is underway, to gain a man-in-the-middle position.

This vulnerability exists only during the pairing stage, when two Bluetooth devices first find each other and establish a persistent relationship (usually setting-up a shared passcode). If the exploit was not carried out successfully during pairing, that paired relationship is not vulnerable. This is true both before and after applying the recommended mitigations.

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo’s Bluetooth adapter suppliers recommend updating to the driver and firmware versions (or newer) described for your model in the Product Impact section.

The Bluetooth SIG notes that if either device involved in a pairing operation follows the corrected standard, that pairing operation is fully protected against this vulnerability.

Prior to applying the recommended mitigations, the best way to protect yourself is to do pairing operations in as secure an environment as possible and follow typical best practices, especially not pairing in public places where other Bluetooth devices are numerous.

Product Impact: