Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.8
CVSSv2

CVE-2020-26560

Published: 24/05/2021 Updated: 03/06/2021
CVSS v2 Base Score: 4.8 | Impact Score: 4.9 | Exploitability Score: 6.5
CVSS v3 Base Score: 8.1 | Impact Score: 5.2 | Exploitability Score: 2.8
VMScore: 428
Vector: AV:A/AC:L/Au:N/C:P/I:P/A:N
Subscribe to Mesh Profile

Vulnerability Summary

An impersonation attack vulnerability was found in the Linux kernel’s Bluetooth Mesh Profile implementation. The Mesh Provisioning procedure has a flaw that allows an attacker without knowledge of the AuthValue to spoof a provisioned device and use crafted responses that appear to possess the AuthValue. This issue permits an malicious user to be issued a valid NetKey and potentially an AppKey. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

bluetooth mesh profile 1.0.0

bluetooth mesh profile 1.0.1

Vendor Advisories

Debian CVElist Bug Report Logs: BlueMirror mesh attacks - CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560
Debian Bug report logs - #1006406 BlueMirror mesh attacks - CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560 Package: src:bluez; Maintainer for src:bluez is Debian Bluetooth Maintainers <team+pkg-bluetooth@trackerdebianorg>; Reported by: Ben Hutchings <ben@decadentorguk> Date: Fri, 25 Feb 2022 02:30: ...
Red Hat: CVE-2020-26560
An impersonation attack vulnerability was found in the Linux kernel’s Bluetooth Mesh Profile implementation The Mesh Provisioning procedure has a flaw that allows an attacker without knowledge of the AuthValue to spoof a provisioned device and use crafted responses that appear to possess the AuthValue This issue permits an attacker to b ...
Arch Linux Issues:
Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 10 and 101 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey ...

References

CWE-863https://kb.cert.org/vuls/id/799380https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006406https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2020-26560
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-22120CVE-2024-35921CVE-2024-35874brute forceCVE-2024-36080unprivilegedCVE-2024-35917IDORCVE-2024-4947
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook