Bluetooth Low Energy Vulnerability in Cypress PSoC Creator BLE Component
CVE-2020-11957

7.5HIGH

Key Information:

Vendor: Cypress
Status: Psoc 4.2 Ble
Vendor: CVE Published:; 9 June 2020

What is CVE-2020-11957?

The Bluetooth Low Energy implementation in the Cypress PSoC Creator BLE 4.2 component, specifically in versions prior to 3.64, suffers from a significant insufficiency in random number generation during the pairing process. This deficiency results in a Pairing Random that has far less entropy than the required 128 bits for secure Bluetooth communications. As a consequence, both authenticated and unauthenticated pairing—whether using LE Secure Connections or LE Legacy Pairing—become susceptible to exploitation. An attacker within radio range could leverage this vulnerability to execute a man-in-the-middle (MITM) attack, intercepting and potentially altering communication during the pairing process.

References

https://www.cypress.com/file/504466/download

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2020
Vulnerability Reserved
Apr 20, 2020

JSON