Multiple Bluetooth Core Specification Vulnerabilities - Lenovo Support NL

2021-06-0801:15:10

support.lenovo.com

8.8 High

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5.8 Medium

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

JSON

**Lenovo Security Advisory:**LEN-51734

**Potential Impact:**Information disclosure, privilege escalation

**Severity:**Medium

**Scope of Impact:**Industry-wide

**CVE Identifier:**CVE-2020-26555, CVE- 2020-26556, CVE-2020-26557, CVE-2020-26558, CVE-2020-26559, CVE-2020-26560

Summary Description:

As reported in CERT Coordination Center (CERT/CC) Vulnerability Note VU#799380, devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing.

Mitigation Strategy for Customers (what you should do to protect yourself):

The Bluetooth SIG recommends users have installed the latest recommended updates from device and operating system manufacturers.

For device updates, update to the version (or later) indicated in the Product Impact section below.

For operating system updates, Lenovo recommends that you contact the vendor of your operating system.

Additional mitigation guidance for each vulnerability has been provided by the Bluetooth SIG, which can be found in VU#799380 and in the Bluetooth SIG Security Notices.