cancel
Showing results for 
Search instead for 
Did you mean: 

Bluetooth SDK

ToKo_4602001
New Contributor II

Bluetooth SIG has announced some security notices on the following URL.

https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security...

Please let me know if CYW20819 has the issue related to CVE-2020-26555 and CVE-2020-26558  or not.

If yes, I'd like to get the patches or workaround.

 

Thanks

0 Likes
1 Solution
DheerajPK_41
Moderator
Moderator

Hi,

Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."

So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local. 

 

Thanks,

-Dheeraj

View solution in original post

0 Likes
7 Replies
DheerajPK_41
Moderator
Moderator

Hi,

We will check internally and get back to you.

Thanks,

-Dheeraj

0 Likes
ToKo_4602001
New Contributor II

Can I have some update?

0 Likes
ToKo_4602001
New Contributor II

I need the information about whether CYW20819 has these vulnerabilities or not, and if yes how to fix it.

Do you have an estimated time-frame of when you expect to get these information?

 

Regards

0 Likes
DheerajPK_41
Moderator
Moderator

Hi,

Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."

So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local. 

 

Thanks,

-Dheeraj

View solution in original post

0 Likes
ToKo_4602001
New Contributor II

Please let me know about CVE-2020-26558 too.

Thanks

0 Likes
ToKo_4602001
New Contributor II

Could you tell us about the current status?

0 Likes
DheerajPK_41
Moderator
Moderator

Hi,

Regarding CVE-2020-26558.
The fix should be done in both the host and controller and it is partially completed and released in the latest SDK. The complete fix for the vulnerability will be available in the upcoming BTSDK released by July End.

Thanks,
-Dheeraj

0 Likes