6.8 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.3 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:A/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
64.2%
Lenovo Security Advisory: LEN-22233
**Potential Impact:**Information disclosure, elevation of privilege, denial of service
Severity: High
Scope of Impact: Industry-wide
**CVE Identifier:**CVE-2018-5383
Summary Description:
The Bluetooth Special Interest Group (SIG) has reported a vulnerability in the standard-specified Bluetooth Secure Simple Pairing and Bluetooth LE Secure Connections pairing processes. This could potentially allow an attacker with wireless visibility to both pairing devices, while pairing is underway, to gain a man-in-the-middle position.
This vulnerability exists only during the pairing stage, when two Bluetooth devices first find each other and establish a persistent relationship (usually setting-up a shared passcode). If the exploit was not carried out successfully during pairing, that paired relationship is not vulnerable. This is true both before and after applying the recommended mitigations.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo’s Bluetooth adapter suppliers recommend updating to the driver and firmware versions (or newer) described for your model in the Product Impact section.
The Bluetooth SIG notes that if either device involved in a pairing operation follows the corrected standard, that pairing operation is fully protected against this vulnerability.
Prior to applying the recommended mitigations, the best way to protect yourself is to do pairing operations in as secure an environment as possible and follow typical best practices, especially not pairing in public places where other Bluetooth devices are numerous.
Product Impact:
6.8 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.3 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:A/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
64.2%