Countermeasure to CVE-2022-25836 / CYW20706

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
HiNa_2357246
Level 5
Level 5
Distributor - Macnica (Japan)
5 likes given 50 replies posted First like given

Hello,

There seems to be no community Blog posts about CVE-2022-25836 but would enabling "LE Secure Connections only" should suffice to counter this vulnerability?

 

Regards,

0 Likes
1 Solution
advait_kulkarni
Moderator
Moderator
Moderator
25 likes received 250 sign-ins 100 solutions authored

Hi @HiNa_2357246 ,

This CVE does not affect our products. You can search on our community for "CVE" or "Security Bulletin" and you will see the CVEs we have fixed in our products, for example: https://community.infineon.com/t5/Blogs/Security-Bulletin-Public-Statement-on-Bluetooth-SIG-Member-S...  If any CVE is not found there then its probably because they do not affect our products.

For your case, LE secure with MITM authenticated pairing is to prevent this vulnerability. You need to set these capabilities in the BTM_PAIRING_IO_CAPABILITIES_BLE_REQUEST_EVT.

Thanks and regards,

Advait Kulkarni

View solution in original post

0 Likes
2 Replies
wasu
Level 4
Level 4
Distributor - Macnica (Japan)
First like received 10 solutions authored 100 sign-ins
 
"LE Secure Connections only" together with "authenticated pairing" will prevent this issue.
 
"LE Secure Connections only" will encrypt data to protect against eavesdroppings.
 
"authenticated pairing" will protect against MITM attacks.
 
0 Likes
advait_kulkarni
Moderator
Moderator
Moderator
25 likes received 250 sign-ins 100 solutions authored

Hi @HiNa_2357246 ,

This CVE does not affect our products. You can search on our community for "CVE" or "Security Bulletin" and you will see the CVEs we have fixed in our products, for example: https://community.infineon.com/t5/Blogs/Security-Bulletin-Public-Statement-on-Bluetooth-SIG-Member-S...  If any CVE is not found there then its probably because they do not affect our products.

For your case, LE secure with MITM authenticated pairing is to prevent this vulnerability. You need to set these capabilities in the BTM_PAIRING_IO_CAPABILITIES_BLE_REQUEST_EVT.

Thanks and regards,

Advait Kulkarni

0 Likes