This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] CC2564C: CC256x and WL18xx Bluetooth Low Energy - LE scan vulnerability

Mastermind 28860 points

Replies: 1

Views: 755

Part Number: CC2564C

CVEID: CVE-2019-15948

Summary

A potential security vulnerability has been identified in TI CC256x and WL18xx dual-mode Bluetooth controller devices. If using Bluetooth Low Energy and LE scan feature, attackers may be able to trigger a buffer overflow via a malformed Bluetooth Low Energy advertising packet to cause a denial of service or potentially execute arbitrary code.

See below for additional information and suggested mitigation.

CVSS base score: 7.6

CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H)

Affected products

  • CC256XC-BT-SP (v1.2 or earlier)
  • CC256XB-BT-SP (v1.8 or earlier)
  • WL18XX-BT-SP (v4.4 or earlier)

Note: The TI CC26xx, CC13xx and CC254x Bluetooth Low Energy wireless MCUs are not affected by this vulnerability.

Impacted features

This potential vulnerability is only exploitable if one of the affected devices mentioned above is configured to use (1) Bluetooth Low Energy feature, and (2) The LE scan (observer) is enabled in Bluetooth Low Energy. If Bluetooth Low Energy is disabled or configured in broadcaster/advertiser role or in peripheral role with no scan enabled, the exploit is not possible.

 

Suggested fixes

The following service-pack releases address the vulnerability described in the CVE-2019-15948.

*Note: For information on CC256XB, or other TI dual-mode Bluetooth devices that are not listed above, please contact ti_bt_errata@list.ti.com.

Source

TI would like to thank Veronica Kovah, from Dark Mentor LLC, for reporting this vulnerability to TI PSIRT and working toward a coordinated disclosure.

 

 

Disclaimer

TI PROVIDES THE CVSS (COMMON VULNERABILITY SCORING SYSTEM) SCORE “AS IS” AND WITHOUT WARRANTY OF ANY KIND. THE CVSS SCORE WAS CALCULATED WITH THE CVSS 3.0 CALCULATOR AND IS BASED ON TI AVAILABLE INFORMATION AND TI ESTIMATES. CUSTOMERS OF AFFECTED PRODUCTS ARE SOLELY RESPONSIBLE FOR THE SECURITY OF THEIR PRODUCTS AND ARE ENCOURAGED TO ASSESS THE POSSIBLE RISK OF ANY POTENTIAL SECURITY VULNERABILITY.

1 Reply

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.