This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] Bluetooth Low Energy – invalid connection request (SweynTooth)

Mastermind 28775 points

Replies: 0

Views: 1277

As part of the TI Product Security Incident Response Team (PSIRT) process, we would like to notify you about the potential vulnerability of invalid connection request as mentioned part of the SweynTooth vulnerabilities.

CVEID: CVE-2019-19193

Summary

The Bluetooth Low Energy peripheral implementation in our SimpleLink™ SDK can allow reception of the connection indication packet with invalid parameters. This can allow attackers in radio range to potentially crash the device via a crafted packet resulting in a denial of service.

Potential behavior in devices using SimpleLink SDK with BLE-STACK:

When the Bluetooth Low Energy peripheral device receives an invalid connection PDU (invalid connection interval or supervision timeout parameters), a connection is attempted by the device. However, the connection does not succeed due to reception of invalid parameters. The connection fail status is indicated by the Bluetooth Low Energy stack to the application layer (bleGAPConnNotAcceptable). The “Simple Peripheral” example application that TI provides enters an idle state upon receiving the connection fail notification from the Bluetooth Low Energy stack and does not re-initiate advertisements again. This can potentially lead to a denial of service at an application level.

Potential behavior in devices using SimpleLink SDK with BLE5-STACK:

When the Bluetooth Low Energy peripheral device receives an invalid connection PDU (invalid connection interval or supervision timeout parameters), the device RF core notifies the BLE5-STACK of the invalid condition and BLE5-STACK enters a hang condition. This could leads to a denial of service at an application level.

CVSS base score: 6.8

CVSS vector: 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Affected products

Here is the list of affected Bluetooth Low Energy SDKs:

BLE-STACK

  • CC2640R2 SDK, BLE-STACK (SDK v3.30.00.20 and prior versions)
  • CC25x0 BLE-STACK (BLE-STACK 1.5.0 and prior versions)
  • CC1350 SDK, BLE-STACK (SDK v3.20.xx and prior versions)
  • CC26x0 BLE-STACK (BLE-STACK v2.2.3 and prior versions)

BLE5-STACK

  • CC2640R2 SDK, BLE5-STACK (SDK v3.30.00.20 and prior versions)
  • CC13X2-26X2-SDK BLE5-STACK (SDK v3.40.00.02 and prior versions)

Impacted features

The potential vulnerability can impact Bluetooth Low Energy devices running affected SDK versions that have configured the devices as a Bluetooth Low Energy peripheral and enabled connectable advertisements.

Suggested mitigations

The following service-pack release addresses the potential vulnerability:

Affected SDK

SDK version with mitigations

SDK releases with mitigations

CC2640R2 SDK BLE-STACK

SDK v3.40.00.10  http://software-dl.ti.com/simplelink/esd/simplelink_cc2640r2_sdk/3.40.00.10/exports/release_notes_simplelink_cc2640r2_sdk_3_40_00_10.html

10-Jan-2020

CC2640R2 SDK BLE5-STACK

SDK v4.10.xx

Released planned for early April 2020 or before. [1]

CC13X2-26X2-SDK, BLE5-STACK

SDK v4.10.xx

Release planned for early April 2020 or before. [1]

BLE-STACK (support for CC2540/CC2541)

v1.5.1  http://www.ti.com/tool/BLE-STACK

07-Feb-2020 

CC13x0 SDK, BLE-STACK

SDK v4.10.xx at http://www.ti.com/tool/SIMPLELINK-CC13X0-SDK

Release planned for early April 2020 or before. [1]

BLE-STACK (support for CC2640/CC2650)

BLE-STACK v2.2.4 at http://www.ti.com/tool/BLE-STACK

16-Mar-2020  

[1] Consider subscribing to “Alert Me” at the corresponding SDK download links to be notified of the new SDK releases.

External references

Disclaimer

TI PROVIDES THIS INFORMATION, INCLUDING THE CVSS (COMMON VULNERABILITY SCORING SYSTEM) SCORE, “AS IS” AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS. THE CVSS SCORE WAS CALCULATED WITH THE CVSS 3.0 CALCULATOR AND IS BASED ON TI AVAILABLE INFORMATION AND TI ESTIMATES.

This resource is intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable standards, and any other safety, security, or other requirements. This resource is subject to change without notice. TI grants you permission to use this resource only for development of an application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these resources.

TI’s products are provided subject to TI’s Terms of Sale (www.ti.com/legal/termsofsale.html) or other applicable terms available either on ti.com or provided in conjunction with such TI products. TI’s provision of this resource does not expand or otherwise alter TI’s applicable warranties or warranty disclaimers for TI products.

Regards,

Evan Wakefield

Please click the "This Resolved My Issue" button on this post if it answers your question