Lenovo Security Advisory: LEN-22233
Potential Impact: Information disclosure, elevation of privilege, denial of service
Scope of Impact: Industry-wide
CVE Identifier: CVE-2018-5383
The Bluetooth Special Interest Group (SIG) has reported a vulnerability in the standard-specified Bluetooth Secure Simple Pairing and Bluetooth LE Secure Connections pairing processes. This could potentially allow an attacker with wireless visibility to both pairing devices, while pairing is underway, to gain a man-in-the-middle position.
This vulnerability exists only during the pairing stage, when two Bluetooth devices first find each other and establish a persistent relationship (usually setting-up a shared passcode). If the exploit was not carried out successfully during pairing, that paired relationship is not vulnerable. This is true both before and after applying the recommended mitigations.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo’s Bluetooth adapter suppliers recommend updating to the driver and firmware versions (or newer) described for your model in the Product Impact section.
The Bluetooth SIG notes that if either device involved in a pairing operation follows the corrected standard, that pairing operation is fully protected against this vulnerability.
Prior to applying the recommended mitigations, the best way to protect yourself is to do pairing operations in as secure an environment as possible and follow typical best practices, especially not pairing in public places where other Bluetooth devices are numerous.