First published: Mon May 24 2021(Updated: )
Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Bluetooth Mesh profile | =1.0.0 | |
Bluetooth Mesh profile | =1.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-26559 is a vulnerability in the Bluetooth Mesh profile 1.0 and 1.0.1 that allows a nearby device participating in the provisioning protocol to identify the AuthValue used given the Provisioner’s public key, confirmation number, and nonce.
CVE-2020-26559 has a severity score of 8.8 (high).
CVE-2020-26559 allows an attacker in proximity to identify the AuthValue used in the provisioning protocol of the Bluetooth Mesh profile 1.0 and 1.0.1.
There is currently no known fix or patch available for CVE-2020-26559. It is recommended to stay updated with the latest information from the vendor and follow any mitigation steps they provide.
You can find more information about CVE-2020-26559 at the following references: [CERT VULS ID 799380](https://kb.cert.org/vuls/id/799380) and [Bluetooth Security - Reporting Security](https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/).