We use cookies and similar technologies (also from third parties) to collect your device and browser information for a better understanding on how you use our online offerings. This enables us to optimize and personalize your experience with Infineon and to provide you with additional services and information based on your individual profile. Details are available in our privacy policy.
Privacy Policyand Imprint
View and change cookie settings
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

Bluetooth SDK

ToKo_4602001
Level 4
50 sign-ins 25 replies posted 25 sign-ins
Level 4
‎May 23, 2021 05:30 PM

CYW20819 SDK2.9 Security

Jump to solution

Bluetooth SIG has announced some security notices on the following URL.

https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security...

Please let me know if CYW20819 has the issue related to CVE-2020-26555 and CVE-2020-26558  or not.

If yes, I'd like to get the patches or workaround.

 

Thanks

0 Likes
1 Solution
DheerajPK_41
Moderator
Moderator 750 replies posted 500 likes received 500 replies posted
Moderator
‎Jun 18, 2021 12:41 AM

Re: CYW20819 SDK2.9 Security

Jump to solution

Hi,

Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."

So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local. 

 

Thanks,

-Dheeraj

View solution in original post

0 Likes
7 Replies
DheerajPK_41
Moderator
Moderator 750 replies posted 500 likes received 500 replies posted
Moderator
‎May 25, 2021 02:42 AM

Re: CYW20819 SDK2.9 Security

Jump to solution

Hi,

We will check internally and get back to you.

Thanks,

-Dheeraj

0 Likes
ToKo_4602001
Level 4
50 sign-ins 25 replies posted 25 sign-ins
Level 4
‎Jun 04, 2021 01:34 AM

Re: CYW20819 SDK2.9 Security

Jump to solution

Can I have some update?

0 Likes
ToKo_4602001
Level 4
50 sign-ins 25 replies posted 25 sign-ins
Level 4
‎Jun 13, 2021 09:10 PM

Re: CYW20819 SDK2.9 Security

Jump to solution

I need the information about whether CYW20819 has these vulnerabilities or not, and if yes how to fix it.

Do you have an estimated time-frame of when you expect to get these information?

 

Regards

0 Likes
DheerajPK_41
Moderator
Moderator 750 replies posted 500 likes received 500 replies posted
Moderator
‎Jun 18, 2021 12:41 AM

Re: CYW20819 SDK2.9 Security

Jump to solution

Hi,

Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."

So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local. 

 

Thanks,

-Dheeraj

0 Likes
ToKo_4602001
Level 4
50 sign-ins 25 replies posted 25 sign-ins
Level 4
‎Jun 18, 2021 12:54 AM

Re: CYW20819 SDK2.9 Security

Jump to solution

Please let me know about CVE-2020-26558 too.

Thanks

0 Likes
ToKo_4602001
Level 4
50 sign-ins 25 replies posted 25 sign-ins
Level 4
‎Jun 21, 2021 09:09 PM

Re: CYW20819 SDK2.9 Security

Jump to solution

Could you tell us about the current status?

0 Likes
DheerajPK_41
Moderator
Moderator 750 replies posted 500 likes received 500 replies posted
Moderator
‎Jun 24, 2021 03:29 AM

Re: CYW20819 SDK2.9 Security

Jump to solution

Hi,

Regarding CVE-2020-26558.
The fix should be done in both the host and controller and it is partially completed and released in the latest SDK. The complete fix for the vulnerability will be available in the upcoming BTSDK released by July End.

Thanks,
-Dheeraj

0 Likes