CYW20819 SDK2.9 Security

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
ToKo_4602001
Level 4
Level 4
50 sign-ins 25 replies posted 25 sign-ins

Bluetooth SIG has announced some security notices on the following URL.

https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security...

Please let me know if CYW20819 has the issue related to CVE-2020-26555 and CVE-2020-26558  or not.

If yes, I'd like to get the patches or workaround.

 

Thanks

0 Likes
1 Solution
DheerajPK_41
Moderator
Moderator
Moderator
750 replies posted 500 likes received 500 replies posted

Hi,

Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."

So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local. 

 

Thanks,

-Dheeraj

View solution in original post

0 Likes
7 Replies
DheerajPK_41
Moderator
Moderator
Moderator
750 replies posted 500 likes received 500 replies posted

Hi,

We will check internally and get back to you.

Thanks,

-Dheeraj

0 Likes
ToKo_4602001
Level 4
Level 4
50 sign-ins 25 replies posted 25 sign-ins

Can I have some update?

0 Likes
ToKo_4602001
Level 4
Level 4
50 sign-ins 25 replies posted 25 sign-ins

I need the information about whether CYW20819 has these vulnerabilities or not, and if yes how to fix it.

Do you have an estimated time-frame of when you expect to get these information?

 

Regards

0 Likes
DheerajPK_41
Moderator
Moderator
Moderator
750 replies posted 500 likes received 500 replies posted

Hi,

Regarding CVE-2020-26555, The suggestion from the SIG is,
"The Bluetooth SIG is recommending that potentially vulnerable devices not initiate or accept connections from remote devices claiming the same BD_ADDR as the local device. The Bluetooth SIG continues to recommend that devices use Secure Simple Pairing or BR/EDR Secure Connections to avoid known vulnerabilities with legacy BR/EDR pairing."

So here, customers can implement the logic in their applications to reject the legacy pairing PIN request when it found the remote BD Address is the same as local. 

 

Thanks,

-Dheeraj

0 Likes
ToKo_4602001
Level 4
Level 4
50 sign-ins 25 replies posted 25 sign-ins

Please let me know about CVE-2020-26558 too.

Thanks

0 Likes
ToKo_4602001
Level 4
Level 4
50 sign-ins 25 replies posted 25 sign-ins

Could you tell us about the current status?

0 Likes
DheerajPK_41
Moderator
Moderator
Moderator
750 replies posted 500 likes received 500 replies posted

Hi,

Regarding CVE-2020-26558.
The fix should be done in both the host and controller and it is partially completed and released in the latest SDK. The complete fix for the vulnerability will be available in the upcoming BTSDK released by July End.

Thanks,
-Dheeraj

0 Likes