An impersonation attack vulnerability was found in the Linux kernel’s Bluetooth Mesh Profile implementation. The Mesh Provisioning procedure has a flaw that allows an attacker without knowledge of the AuthValue to spoof a provisioned device and use crafted responses that appear to possess the AuthValue. This issue permits an attacker to be issued a valid NetKey and potentially an AppKey. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
For this attack to be successful, an attacking device needs to be within the wireless range of a Mesh Provisioner and either spoof the identity of a device being provisioned over the air or be directly provisioned onto a subnet controlled by the provisioner. After successfully authenticating without the AuthValue, the attacker can perform any operation permitted to a node provisioned on the subnet until it is either denied access or a new subnet is formed without the attacking node present.