CVE-2018-5383: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange
First published: Fri Jun 01 2018(Updated: )
A vulnerability in Bluetooth pairing potentially allows an attacker with physical proximity (within 30 meters) to gain unauthorized access via an adjacent network, intercept traffic and send forged pairing messages between two vulnerable Bluetooth devices. This may result in information disclosure, elevation of privilege and/or denial of service. External References: <a href="https://www.kb.cert.org/vuls/id/304725">https://www.kb.cert.org/vuls/id/304725</a> <a href="https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00128.html">https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00128.html</a> <a href="https://www.bluetooth.com/news/unknown/2018/07/bluetooth-sig-security-update">https://www.bluetooth.com/news/unknown/2018/07/bluetooth-sig-security-update</a>
Credit: Lior Neumann Eli Biham cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/firmware-nonfree | 20210315-3 20230210-5 20241210-1 | |
| tvOS | <12 | 12 |
| Android | ||
| macOS High Sierra | <10.13.5 | 10.13.5 |
| macOS High Sierra | ||
| Apple El Capitan | ||
| macOS Mojave | <10.14 | 10.14 |
| Apple iOS, iPadOS, and watchOS | <12 | 12 |
| Android | =6.0 | |
| Android | =6.0.1 | |
| Android | =7.0 | |
| Android | =7.1.1 | |
| Android | =7.1.2 | |
| Android | =8.0 | |
| Android | =8.1 | |
| iStyle @cosme iPhone OS | <11.4 | |
| Apple iOS and macOS | <10.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.cs.technion.ac.il/~biham/BT/
- https://www.bluetooth.com/news/unknown/2018/07/bluetooth-sig-security-update
- https://www.kb.cert.org/vuls/id/304725
- http://www.securityfocus.com/bid/104879
- http://www.securitytracker.com/id/1041432
- https://lists.debian.org/debian-lts-announce/2019/04/msg00005.html
- https://access.redhat.com/errata/RHSA-2019:2169
- https://usn.ubuntu.com/4094-1/
- https://usn.ubuntu.com/4095-1/
- https://usn.ubuntu.com/4095-2/
- https://usn.ubuntu.com/4118-1/
- https://usn.ubuntu.com/4351-1/
- https://launchpad.net/bugs/cve/CVE-2018-5383
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00128.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1615683
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1615706
- https://access.redhat.com/security/cve/cve-2018-5383
- https://bugzilla.redhat.com/show_bug.cgi?id=1614159
- https://support.apple.com/en-us/HT209139 (Advisory)
- https://support.apple.com/en-us/HT208937 (Advisory)
- https://support.apple.com/en-us/HT208849 (Advisory)
- https://support.apple.com/en-us/HT209107 (Advisory)
- https://support.apple.com/en-us/HT209106 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2018-5383
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5383
- https://nvd.nist.gov/vuln/detail/CVE-2018-5383
- https://ubuntu.com/security/CVE-2018-5383
- https://source.android.com/docs/security/bulletin/2018-08-01/#asterisk
- https://source.android.com/docs/security/bulletin/2018-08-01
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2018-4321
- CVE-2018-5383
- CVE-2018-4126
- CVE-2018-4412
- CVE-2018-4414
- CVE-2018-4347
- CVE-2018-4433
- CVE-2018-4426
- CVE-2018-4331
- CVE-2018-4332
- CVE-2018-4343
- CVE-2018-4408
- CVE-2018-4341
- CVE-2018-4354
- CVE-2018-4383
- CVE-2018-4401
- CVE-2018-4305
- CVE-2018-4399
- CVE-2018-4407
- CVE-2018-4363
- CVE-2018-4336
- CVE-2018-4337
- CVE-2018-4340
- CVE-2018-4344
- CVE-2018-4425
- CVE-2018-4313
- CVE-2016-1777
- CVE-2018-4395
- CVE-2018-4203
- CVE-2018-4304
- CVE-2018-4316
- CVE-2018-4345
- CVE-2018-4191
- CVE-2018-4299
- CVE-2018-4359
- CVE-2018-4323
- CVE-2018-4358
- CVE-2018-4328
- CVE-2018-4197
- CVE-2018-4318
- CVE-2018-4306
- CVE-2018-4312
- CVE-2018-4314
- CVE-2018-4315
- CVE-2018-4317
- CVE-2018-4309
- CVE-2018-4361
- CVE-2018-4474
- CVE-2018-4360
- CVE-2018-4196
- CVE-2018-4253
- CVE-2018-4256
- CVE-2018-4255
- CVE-2018-4254
- CVE-2018-4258
- CVE-2018-4257
- CVE-2018-7584
- CVE-2018-4219
- CVE-2018-4171
- CVE-2018-4194
- CVE-2018-4180
- CVE-2018-4181
- CVE-2018-4182
- CVE-2018-4183
- CVE-2018-4478
- CVE-2018-4251
- CVE-2018-4211
- CVE-2018-4229
- CVE-2018-4159
- CVE-2018-4242
- CVE-2018-4202
- CVE-2018-4217
- CVE-2018-4141
- CVE-2018-4228
- CVE-2018-4236
- CVE-2018-4234
- CVE-2018-4249
- CVE-2018-8897
- CVE-2018-4241
- CVE-2018-4243
- CVE-2018-4237
- CVE-2018-4404
- CVE-2018-4227
- CVE-2018-4235
- CVE-2018-4240
- CVE-2018-4230
- CVE-2018-4221
- CVE-2018-4223
- CVE-2018-4224
- CVE-2018-4225
- CVE-2018-4226
- CVE-2018-4184
- CVE-2018-4198
- CVE-2018-4193
- CVE-2018-4470
- CVE-2018-4289
- CVE-2018-4268
- CVE-2018-4285
- CVE-2018-4293
- CVE-2018-4269
- CVE-2018-4276
- CVE-2018-4178
- CVE-2018-4456
- CVE-2018-4283
- CVE-2018-3665
- CVE-2018-4259
- CVE-2018-4286
- CVE-2018-4287
- CVE-2018-4288
- CVE-2018-4291
- CVE-2018-4280
- CVE-2018-4248
- CVE-2018-4277
- CVE-2018-6797
- CVE-2018-6913
- CVE-2017-0898
- CVE-2017-10784
- CVE-2017-14033
- CVE-2017-14064
- CVE-2017-17405
- CVE-2017-17742
- CVE-2018-6914
- CVE-2018-8777
- CVE-2018-8778
- CVE-2018-8779
- CVE-2018-8780
- CVE-2018-4274
- CVE-2018-4295
- CVE-2018-4324
- CVE-2018-4417
- CVE-2018-4353
- CVE-2017-12613
- CVE-2017-12618
- CVE-2018-4411
- CVE-2018-4308
- CVE-2018-4333
- CVE-2018-4153
- CVE-2018-4406
- CVE-2018-4346
- CVE-2018-4296
- CVE-2019-8643
- CVE-2017-5731
- CVE-2017-5732
- CVE-2017-5733
- CVE-2017-5734
- CVE-2017-5735
- CVE-2018-3646
- CVE-2018-4355
- CVE-2018-4396
- CVE-2018-4418
- CVE-2018-4351
- CVE-2018-4350
- CVE-2018-4334
- CVE-2018-4451
- CVE-2015-3194
- CVE-2015-5333
- CVE-2015-5334
- CVE-2016-0702
- CVE-2018-4348
- CVE-2018-4326
- CVE-2018-4310
- CVE-2018-3639
- CVE-2018-4393
- CVE-2018-4338
- CVE-2018-4322
- CVE-2018-4356
- CVE-2018-4335
- CVE-2018-4352
- CVE-2018-4329
- CVE-2018-4307
- CVE-2018-4362
- CVE-2018-4325
- CVE-2018-4311
- CVE-2018-4319
Frequently Asked Questions
What is the severity of CVE-2018-5383?
CVE-2018-5383 is characterized as having a high severity due to the potential for unauthorized access and information interception.
How do I fix CVE-2018-5383?
To fix CVE-2018-5383, update your affected devices to the latest versions provided by the vendor.
Which devices are affected by CVE-2018-5383?
CVE-2018-5383 affects various devices including certain versions of Apple iOS, Android, macOS, and tvOS.
What kind of attack does CVE-2018-5383 enable?
CVE-2018-5383 enables attackers to intercept traffic and send forged pairing messages between vulnerable Bluetooth devices.
How far can an attacker be to exploit CVE-2018-5383?
An attacker exploiting CVE-2018-5383 needs to be in physical proximity, within approximately 30 meters of the targeted devices.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-5383
- agent/weakness
- agent/remedy
- agent/title
- agent/severity
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/source
- collector/apple-support
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- agent/author
- agent/description
- agent/event
- collector/android-source
- source/Android
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- agent/softwarecombine
- package-manager/debian
- vendor/apple
- canonical/tvos
- vendor/google
- canonical/android
- canonical/macos high sierra
- canonical/apple el capitan
- canonical/macos mojave
- canonical/apple ios, ipados, and watchos
- version/android/6.0
- version/android/6.0.1
- version/android/7.0
- version/android/7.1.1
- version/android/7.1.2
- version/android/8.0
- version/android/8.1
- canonical/istyle @cosme iphone os
- canonical/apple ios and macos