4.8
CVSSv2

CVE-2019-9506

Published: 14/08/2019 Updated: 28/08/2019
CVSS v2 Base Score: 4.8 | Impact Score: 4.9 | Exploitability Score: 6.5
CVSS v3 Base Score: 8.1 | Impact Score: 5.2 | Exploitability Score: 2.8
Vector: AV:A/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Summary

A weakness in the Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) protocol core specification exposes a vulnerability that could allow for an unauthenticated, adjacent malicious user to perform a man-in-the-middle attack on an encrypted Bluetooth connection. The attack must be performed during negotiation or renegotiation of a paired device connection; existing sessions cannot be attacked. The issue could allow the malicious user to reduce the entropy of the negotiated session key that is used to secure a Bluetooth connection between a paired device and a host device. An attacker who can successfully inject a malicious message into a Bluetooth connection during session negotiation or renegotiation could cause the strength of the session key to be susceptible to brute force attack. This advisory will be updated as additional information becomes available. There are no workarounds that address this vulnerability. This advisory is available at the following link: tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190813-bluetooth

Vulnerability Trend

Affected Products

Vendor Product Versions
AppleIphone Os12.4
AppleMac Os X10.12.6, 10.13.6, 10.14.5
AppleTvos12.4
AppleWatchos5.3
GoogleAndroid-

Vendor Advisories

Impact: Important Public Date: 2019-08-13 CWE: CWE-327 Bugzilla: 1727857: CVE-2019-9506 : hardware: blu ...
A weakness in the Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) protocol core specification exposes a vulnerability that could allow for an unauthenticated, adjacent attacker to perform a man-in-the-middle attack on an encrypted Bluetooth connection The attack must be performed during negotiation or renegotiation of a paired device connection; ...
The KNOB (Key Negotiation of Bluetooth) vulnerability exists in the encryption key negotiation process between two Bluetooth BR/EDR devices The negotiation process is not encrypted and no authentication is performed An unauthenticated, adjacent attacker can initiate a man-in-the-middle attack to reduce the negotiated entropy length used for secur ...
Several security issues were fixed in the Linux kernel ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-3 Additional information for APPLE-SA-2019-7-22-4 watchOS 53 watchOS 53 addresses the following: Bluetooth Available for: Apple Watch Series 1 and later Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-1 Additional information for APPLE-SA-2019-7-22-2 macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra address the following: AppleGraphicsControl Av ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-3 Additional information for APPLE-SA-2019-7-22-4 watchOS 53 watchOS 53 addresses the following: Bluetooth Available for: Apple Watch Series 1 and later Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-1 Additional information for APPLE-SA-2019-7-22-2 macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra address the following: AppleGraphicsControl Av ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-4 Additional information for APPLE-SA-2019-7-22-5 tvOS 124 tvOS 124 addresses the following: Bluetooth Available for: Apple TV 4K and Apple TV HD Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-4 Additional information for APPLE-SA-2019-7-22-5 tvOS 124 tvOS 124 addresses the following: Bluetooth Available for: Apple TV 4K and Apple TV HD Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-2 Additional information for APPLE-SA-2019-7-22-1 iOS 124 iOS 124 addresses the following: Bluetooth Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later Impact: An attacker in a privileged network position may be able to intercept Blu ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-2 Additional information for APPLE-SA-2019-7-22-1 iOS 124 iOS 124 addresses the following: Bluetooth Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later Impact: An attacker in a privileged network position may be able to intercept Blu ...

Github Repositories

README Repository about our Key Negotiation Of Bluetooth (KNOB) attack CVE-2019-9506 PoC to perform the KNOB attack using internalblue v01

Recent Articles

The Joy of Six... critical security patches: Cisco small biz switches open to hijacking via web UI
The Register • Shaun Nichols in San Francisco • 22 Aug 2019

Plus UCS and more gear needs update: Turn it on, download these fixes, crank it up – and rip the KNOB off

Cisco has emitted a fresh round of software updates to address security holes in its network switches and controllers.
Switchzilla's latest patch bundle includes six alerts for what it rates as critical issues, including flaws in its Small Business 220 Series switches and UCS Director software. Combined with Cisco's fixes for 'high' and 'moderate' issues, the networking giant posted a total of 33 security alerts on Wednesday.
For the Small Business 220 Switches, a pair of patches add...

Cisco Patches Six Critical Bugs in UCS Gear and Switches
Threatpost • Tom Spring • 21 Aug 2019

Cisco Systems is warning of six critical vulnerabilities impacting a wide range of its products, including its Unified Computing System server line and its small business 220 Series Smart switches. In all instances of the vulnerabilities, a remote unauthenticated attacker could take over targeted hardware.
Four of the critical bugs (CVE-2019-1938, CVE-2019-1935, CVE-2019-1974  and CVE-2019-1937) impact Cisco’s Unified Computing System (UCS) components. Each has a critical-severity ratin...

Microsoft Patch Tuesday – August 2019
Symantec Threat Intelligence Blog • Ratheesh PM • 14 Aug 2019

This month the vendor has patched 93 vulnerabilities, 27 of which are rated Critical.

Posted: 14 Aug, 201926 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinMicrosoft Patch Tuesday – August 2019This month the vendor has patched 93 vulnerabilities, 27 of which are rated Critical.This month Microsoft has patched 93 vulnerabilities, 27 of which are rated Critical.

As always, customers are advised to follow these security best practices:


Install vendor patches as soon ...

Lenovo Warns on ThinkPad Bugs, One Unpatched
Threatpost • Tom Spring • 14 Aug 2019

Dozens of Lenovo’s flagship ThinkPad models are vulnerable to bugs ranging in severity from low to high. Two of the flaws are tied to industry-wide security bulletins, while a medium-severity flaw affects only Lenovo laptops but remains unpatched.
The most severe of the three bugs is a high-severity Bluetooth vulnerability (CVE-2019-9506) disclosed on Tuesday by Microsoft as part of its August security patch roundup. The flaw is described as an “encryption key negotiation of Bluetooth ...

Shades of BlueKeep: Wormable Remote Desktop Bugs Top August Patch Tuesday List
Threatpost • Tara Seals • 13 Aug 2019

Microsoft’s August Patch Tuesday release contains updates for 93 CVEs, including 29 that are rated critical in severity. The highest priority of these include four critical remote code-execution (RCE) vulnerabilities in Remote Desktop Services (RDS) and a critical RCE flaw in Microsoft Word.
Also, two of the RDS bugs are wormable, allowing an exploit to self-propagate from PC to PC without user interaction, thus setting the scene for a global, fast-moving infection wave. Microsoft warned...

New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic
BleepingComputer • Lawrence Abrams • 01 Jan 1970

A new Bluetooth vulnerability named "KNOB" has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices.
In a coordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new vulnerability called "KNOB" has been disclosed that affects Bluetooth BR/EDR devices, ot...

New Bluetooth KNOB Flaw Lets Attackers Manipulate Connections
BleepingComputer • Lawrence Abrams • 01 Jan 1970

A new Bluetooth vulnerability named "KNOB" has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices.
In a coordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new vulnerability called "KNOB" has been disclosed that affects Bluetooth BR/EDR devices, ot...