Encryption Key Negotiation of Bluetooth Vulnerability - Lenovo Support US

Lenovo Security Advisory: LEN-27173

Potential Impact: Information disclosure, privilege escalation

**Severity:**High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2019-9506, CVE-2020-10135

Summary Description:

*Update 2020-06-23:

As reported by the Bluetooth SIG, Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) have identified a security vulnerability related to pairing in Bluetooth BR/EDR connections. This vulnerability is referred to by the researchers as Bluetooth Impersonation Attacks (BIAS). The researchers identified that it is possible for an attacking device spoofing the address of a previously bonded remote device to successfully complete the authentication procedure with some paired/bonded devices while not possessing the link key. This may permit an attacker to negotiate a reduced encryption key strength with a device that is still vulnerable to the Key Negotiation of Bluetooth (KNOB) attack disclosed in 2019. If the encryption key length reduction is successful, an attacker may be able to brute force the encryption key and spoof the remote paired device. If the encryption key length reduction is unsuccessful, the attacker will not be able to establish an encrypted link but may still appear authenticated to the host.

As reported in CERT Coordination Center Vulnerability Note VU#918987, the Bluetooth BR/EDR standard encryption key negotiation protocol is vulnerable to packet injection that could allow an unauthenticated user to decrease the size of the entropy of the encryption key, potentially causing information disclosure and/or escalation of privileges via adjacent access. Any system or device using Bluetooth BR/EDR is potentially affected as this is a protocol level vulnerability. This vulnerability is referred to by the researchers as Key Negotiation Of Bluetooth (KNOB).

Mitigation Strategy for Customers (what you should do to protect yourself):

To protect systems running Windows, Microsoft has released a software update that enforces a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption. This functionality is disabled by default when the update is installed. To mitigate these vulnerabilities, KNOB and BIAS, customers must apply the Microsoft update AND enable the update’s functionality by setting a specific flag in the registry. See Microsoft’s advisory for the full mitigation guidance.

References:

CERT/CC Vulnerability Note VU#918987, : <https://www.kb.cert.org/vuls/id/918987&gt;

Microsoft Advisory: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9506&gt;

Bluetooth SIG statement on KNOB: <https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/&gt;

Android Security KNOB Bulletin: <https://source.android.com/security/bulletin/2019-08-01&gt;

Bluetooth SIG statement on BIAS: <https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/bias-vulnerability/&gt;

Revision History:

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.