CVE-2020-15802 Information

Description

Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport either LE or BR/EDR and replace a bonding already established on the opposing transport BR/EDR or LE potentially overwriting an authenticated key with an unauthenticated key or a key with greater entropy with one with less.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709 https://www.kb.cert.org/vuls/id/589825

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

5.9