CVE-2020-35473

An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://dl.acm.org/doi/10.1145/3548606.3559372	Technical Description Third Party Advisory
https://www.sigsac.org/ccs/CCS2022/proceedings/ccs-proceedings.html	Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bluetooth:bluetooth_core_specification:*:*:*:*:*:*:*:*

History

09 Nov 2022, 18:55

Type	Values Removed	Values Added
First Time		Bluetooth Bluetooth bluetooth Core Specification
CPE		cpe:2.3:a:bluetooth:bluetooth_core_specification::::::::
CWE		CWE-203 CWE-294
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
References	~~(MISC) https://dl.acm.org/doi/10.1145/3548606.3559372 -~~	(MISC) https://dl.acm.org/doi/10.1145/3548606.3559372 - Technical Description, Third Party Advisory
References	~~(MISC) https://www.sigsac.org/ccs/CCS2022/proceedings/ccs-proceedings.html -~~	(MISC) https://www.sigsac.org/ccs/CCS2022/proceedings/ccs-proceedings.html - Technical Description, Third Party Advisory

08 Nov 2022, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-08 06:15

Updated : 2023-12-10 14:35

NVD link : CVE-2020-35473

Mitre link : CVE-2020-35473

CVE.ORG link : CVE-2020-35473

JSON object : View

Products Affected

bluetooth

bluetooth_core_specification

CWE

CWE-203

Observable Discrepancy

CWE-294

Authentication Bypass by Capture-replay

{"id": "CVE-2020-35473", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-11-08T06:15:09.403", "references": [{"url": "https://dl.acm.org/doi/10.1145/3548606.3559372", "tags": ["Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.sigsac.org/ccs/CCS2022/proceedings/ccs-proceedings.html", "tags": ["Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-294"}]}], "descriptions": [{"lang": "en", "value": "An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel."}, {"lang": "es", "value": "Se puede utilizar una vulnerabilidad de fuga de informaci\u00f3n en la respuesta de escaneo de publicidad de Bluetooth Low Energy en las Especificaciones principales de Bluetooth 4.0 a 5.2, y la respuesta de escaneo extendida en las Especificaciones principales de Bluetooth 5.0 a 5.2, para identificar dispositivos que usan Resolvable Private Addressing (RPA) por su respuesta o no-respuesta a solicitudes de escaneo espec\u00edficas desde direcciones remotas. Los RPA que se han asociado con un dispositivo remoto espec\u00edfico tambi\u00e9n se pueden usar para identificar a un par de la misma manera mediante su reacci\u00f3n a una solicitud de escaneo activo. A esto tambi\u00e9n se le ha denominado canal lateral basado en listas permitidas."}], "lastModified": "2022-11-09T18:55:32.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bluetooth:bluetooth_core_specification:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "313E8F2B-729D-4037-A7D1-BEB2234EFB85", "versionEndIncluding": "5.2", "versionStartIncluding": "4.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}