What is the severity of CVE-2024-1638?

CVE-2024-1638 is classified as a medium severity vulnerability.

How do I fix CVE-2024-1638?

To fix CVE-2024-1638, upgrade to a version of Zephyr Project Manager that is higher than 3.5.0.

What systems are affected by CVE-2024-1638?

CVE-2024-1638 affects versions of the Zephyr Project up to and including 3.5.0.

What does CVE-2024-1638 involve?

CVE-2024-1638 involves improper handling of attribute read/write permissions for Bluetooth characteristics using LE Secure Connections.

Is CVE-2024-1638 related to Bluetooth security?

Yes, CVE-2024-1638 specifically concerns security implications in Bluetooth characteristic permissions.

Vulnerability/
CVE-2024-1638

critical

9.1

CWE

19/2/2024

17/1/2025

CVE-2024-1638: Bluetooth characteristic LESC security requirement not enforced without additional flags

First published: Mon Feb 19 2024(Updated: )

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read.

Credit: vulnerabilities@zephyrproject.org

Affected Software	Affected Version	How to fix
Zephyr Project Manager	<=3.5.0

Never miss a vulnerability like this again

Reference Links

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p6f3-f63q-5mc2

Frequently Asked Questions

What is the severity of CVE-2024-1638?
CVE-2024-1638 is classified as a medium severity vulnerability.
How do I fix CVE-2024-1638?
To fix CVE-2024-1638, upgrade to a version of Zephyr Project Manager that is higher than 3.5.0.
What systems are affected by CVE-2024-1638?
CVE-2024-1638 affects versions of the Zephyr Project up to and including 3.5.0.
What does CVE-2024-1638 involve?
CVE-2024-1638 involves improper handling of attribute read/write permissions for Bluetooth characteristics using LE Secure Connections.
Is CVE-2024-1638 related to Bluetooth security?
Yes, CVE-2024-1638 specifically concerns security implications in Bluetooth characteristic permissions.

agent/title
agent/references
agent/type
agent/description
agent/weakness
agent/first-publish-date
agent/author
agent/event
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/softwarecombine
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/zephyrproject
canonical/zephyr project manager
version/zephyr project manager/3.5.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.