CVE-2020-16630 - Vulnerability Details

Vendors	Products
Ti	15.4-stack Ble5-stack Dynamic Multi-protocal Manager Easylink Openthread Real-time Operating System Z-stack

Link	Providers
http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html
https://www.usenix.org/system/files/sec20-zhang-yue.pdf

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "TI\u2019s BLE stack caches and reuses the LTK\u2019s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile\u2019s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-20T19:20:50", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-16630", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TI\u2019s BLE stack caches and reuses the LTK\u2019s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile\u2019s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html", "refsource": "MISC", "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"name": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf", "refsource": "MISC", "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:45:33.225Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-16630", "datePublished": "2021-09-20T19:20:50", "dateReserved": "2020-08-04T00:00:00", "dateUpdated": "2024-08-04T13:45:33.225Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile’s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-09-20T19:20:50 (string)

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://www.usenix.org/system/files/sec20-zhang-yue.pdf (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@mitre.org (string)

ID : CVE-2020-16630 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile’s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html (string)

refsource : MISC (string)

url : http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html (string)

}

1 : { »

name : https://www.usenix.org/system/files/sec20-zhang-yue.pdf (string)

refsource : MISC (string)

url : https://www.usenix.org/system/files/sec20-zhang-yue.pdf (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T13:45:33.225Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://www.usenix.org/system/files/sec20-zhang-yue.pdf (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

cveId : CVE-2020-16630 (string)

datePublished : 2021-09-20T19:20:50 (string)

dateReserved : 2020-08-04T00:00:00 (string)

dateUpdated : 2024-08-04T13:45:33.225Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ti:15.4-stack:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2973A2C-67E6-4064-A2A9-E4122E201DDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:ble5-stack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E161F37-86D3-4558-91B4-086528A351AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:dynamic_multi-protocal_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9951BB2-E930-4C92-B673-501591679002", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:easylink:-:*:*:*:*:*:*:*", "matchCriteriaId": "74934E63-1140-4F9B-BC05-3739E62B9DE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:openthread:-:*:*:*:*:*:*:*", "matchCriteriaId": "B3586ABB-3E4A-4BAD-B9F4-5EB6775AFEF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ti:z-stack:-:*:*:*:*:*:*:*", "matchCriteriaId": "BA516494-4D9A-4275-A7BA-A82699625477", "vulnerable": true}, {"criteria": "cpe:2.3:o:ti:real-time_operating_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "E289611E-871B-433E-BF10-CDABF650AAC9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "TI\u2019s BLE stack caches and reuses the LTK\u2019s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile\u2019s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission."}, {"lang": "es", "value": "La pila BLE de TI almacena en cach\u00e9 y reusa la propiedad del LTK para un m\u00f3vil vinculado. Una LTK puede ser una clave no autenticada y sin protecci\u00f3n MITM creada por Just Works o una clave autenticada y con protecci\u00f3n MITM creada por Passkey Entry, Numeric Comparison u OOB. Supongamos que un m\u00f3vil v\u00edctima usa el emparejamiento seguro para emparejarse con un dispositivo BLE v\u00edctima basado en chips TI y genera una LTK autenticada y de protecci\u00f3n MITM. Si un m\u00f3vil falso con la direcci\u00f3n MAC del m\u00f3vil v\u00edctima usa Just Works y se empareja con el dispositivo v\u00edctima, el LTK generado sigue teniendo la propiedad de autenticaci\u00f3n y protecci\u00f3n MITM. Por lo tanto, el m\u00f3vil falso puede acceder a los atributos con el permiso de lectura/escritura autenticado"}], "id": "CVE-2020-16630", "lastModified": "2024-11-21T05:07:11.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-20T20:15:11.337", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.usenix.org/system/files/sec20-zhang-yue.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:ti:15.4-stack:-:*:*:*:*:*:*:* (string)

matchCriteriaId : F2973A2C-67E6-4064-A2A9-E4122E201DDF (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:ti:ble5-stack:-:*:*:*:*:*:*:* (string)

matchCriteriaId : 0E161F37-86D3-4558-91B4-086528A351AA (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:ti:dynamic_multi-protocal_manager:-:*:*:*:*:*:*:* (string)

matchCriteriaId : F9951BB2-E930-4C92-B673-501591679002 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:ti:easylink:-:*:*:*:*:*:*:* (string)

matchCriteriaId : 74934E63-1140-4F9B-BC05-3739E62B9DE4 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:ti:openthread:-:*:*:*:*:*:*:* (string)

matchCriteriaId : B3586ABB-3E4A-4BAD-B9F4-5EB6775AFEF3 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:ti:z-stack:-:*:*:*:*:*:*:* (string)

matchCriteriaId : BA516494-4D9A-4275-A7BA-A82699625477 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:o:ti:real-time_operating_system:-:*:*:*:*:*:*:* (string)

matchCriteriaId : E289611E-871B-433E-BF10-CDABF650AAC9 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile’s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission. (string)

}

1 : { »

lang : es (string)

value : La pila BLE de TI almacena en caché y reusa la propiedad del LTK para un móvil vinculado. Una LTK puede ser una clave no autenticada y sin protección MITM creada por Just Works o una clave autenticada y con protección MITM creada por Passkey Entry, Numeric Comparison u OOB. Supongamos que un móvil víctima usa el emparejamiento seguro para emparejarse con un dispositivo BLE víctima basado en chips TI y genera una LTK autenticada y de protección MITM. Si un móvil falso con la dirección MAC del móvil víctima usa Just Works y se empareja con el dispositivo víctima, el LTK generado sigue teniendo la propiedad de autenticación y protección MITM. Por lo tanto, el móvil falso puede acceder a los atributos con el permiso de lectura/escritura autenticado (string)

}

]

id : CVE-2020-16630 (string)

lastModified : 2024-11-21T05:07:11.853 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : ADJACENT_NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:A/AC:M/Au:N/C:P/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 5.5 (number)

impactScore : 4.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 6.8 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 1.6 (number)

impactScore : 5.2 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-09-20T20:15:11.337 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : https://www.usenix.org/system/files/sec20-zhang-yue.pdf (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/3.20.00.68/exports/changelog.html (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : https://www.usenix.org/system/files/sec20-zhang-yue.pdf (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-863 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object