lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20231001080551.GB8209@linux-l9pv.suse>
Date:   Sun, 1 Oct 2023 16:05:51 +0800
From:   joeyli <jlee@...e.com>
To:     Marcel Holtmann <marcel@...tmann.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Luiz Augusto von Dentz <luiz.dentz@...il.com>
Cc:     linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org
Subject: Re: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection

Hi experts,

On Sun, Oct 01, 2023 at 03:45:24PM +0800, Lee, Chun-Yi wrote:
> with the device which has same BD_ADDR
>  
> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
> 
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
> 
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
> 
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
> 
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
> 
> Similar implementations also show in btstack project. [3][4][5]
> 
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
> 
> Lee, Chun-Yi (2):
>   Bluetooth: hci_event: Ignore NULL link key
>   Bluetooth: Reject connection with the device which has same BD_ADDR
> 
>  net/bluetooth/hci_conn.c  |  7 +++++++
>  net/bluetooth/hci_event.c | 16 ++++++++++++++++
>  2 files changed, 23 insertions(+)
> 
> -- 
> 2.35.3
> 
> >From 2c6cd3f353d21086a3163a9ad461789d203a7ee4 Mon Sep 17 00:00:00 2001
> From: "Lee, Chun-Yi" <jlee@...e.com>
> Date: Sat, 30 Sep 2023 16:56:56 +0800
> Subject: [PATCH 0/2] Bluetooth: ignore NULL link key and reject connection 
> with the device which has same BD_ADDR
>  

Please ignore this patch set because I used wrong mutt command to send out
patch. It causes that the mail has duplicate contents. I will send out a
new series.

Sorry for any inconvenience caused!

Joey Lee

> This patch set is used to relieve CVE-2020-26555. The description of the
> CVE:
> 
> Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
> 1.0B through 5.2 may permit an unauthenticated nearby device to spoof
> the BD_ADDR of the peer device to complete pairing without knowledge
> of the PIN. [1]
> 
> The detail of this attack is in IEEE paper:
> BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
> [2]
> 
> It's a reflection attack. The paper mentioned that attacker can induce
> the attacked target to generate null link key (zero key) without PIN
> code. In BR/EDR, the key generation is actually handled in the controller
> which is below HCI.
> 
> Thus, we can ignore null link key in the handler of "Link Key Notification
> event" to relieve the attack. And, a condition of this attack is that
> attacker should change the BR_ADDR of his hacking device (Host B) to equal
> to the BR_ADDR with the target device being attacked (Host A). So we reject
> the connection with device which has same BD_ADDR both on HCI_Create_Connection
> and HCI_Connection_Request to prevent the attack.
> 
> Similar implementations also show in btstack project. [3][4][5]
> 
> Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
> Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [4]
> Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [5]
> 
> Lee, Chun-Yi (2):
>   Bluetooth: hci_event: Ignore NULL link key
>   Bluetooth: Reject connection with the device which has same BD_ADDR
> 
>  net/bluetooth/hci_conn.c  |  7 +++++++
>  net/bluetooth/hci_event.c | 16 ++++++++++++++++
>  2 files changed, 23 insertions(+)
> 
> -- 
> 2.35.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ