TI Bluetooth stack can fail to generate a resolvable Random Private Address (RPA) leading to DoS for already bonded peer devices
BOSCH-SA-466062
Advisory Information
- Advisory ID: BOSCH-SA-466062
- CVE Numbers and CVSS v3.1 Scores:
- CVE-2023-52709
- Base Score: 6.5 (Medium)
- CVE-2023-52709
- Published: 28 May 2024
- Last Updated: 31 May 2024
Summary
When running Defensics test case #SMP legacy 1001 with loop mode on DUT configured as resolvable private address, after a while, the device will end up generating unresolvable random private address causing Denial of Service for already bonded peer devices.
The potential vulnerability can impact Bluetooth® Low Energy devices running the affected SDK versions and enabled Bluetooth privacy with resolvable private address feature.
Affected Products
- Texas Instruments SIMPLELINK-CC13XX-CC26XX-SDK: SimpleLink™ CC13xx and CC26xx software development kit (SDK) on: CC2651P3, CC2651R3, CC2651R3SIPA, CC2642R, CC2642P, CC2652R, CC2652P, CC1352R, CC1352P, CC2652RSIP, CC2652PSIP, CC2642R-Q1
- CVE-2023-52709
- Version(s): <= V7.10.02.23
- CVE-2023-52709
Solution and Mitigations
Solution
The following SDK releases addresses the potential vulnerability:
|
Affected SDK
|
First SDK version with mitigations
|
First BLE stack version with mitigations
|
|
CC13XX-26XX-SDK, BLE5-STACK
|
SIMPLELINK-LOWPOWER-F2-SDK (7.40.00.77)
|
v2.02.09.00
|
|
CC2340 SDK, BLE5-STACK
|
SimpleLink Low Power F3 SDK (7.40.00.64)
|
v3.02.04.00
|
Vulnerability Details
CVE-2023-52709
CVE description: Denial of Service in in Texas Instrument SIMPLELINK-CC13XX-CC26XX-SDK: SimpleLink™ CC13xx and CC26xx software development kit (SDK) V7.10.02.23 and earlier allow possible Denial of Service attack.
- Problem Type:
- CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Base Score: 6.5 (Medium)
Remarks
Security Update Information
With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:
It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.
Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.
CVSS Scoring
Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.
Additional Resources
- [1] SIMPLELINK-LOWPOWER-F2-SDK (7.40.00.77) Release date: 12 Mar 2024: https://www.ti.com/tool/download/SIMPLELINK-LOWPOWER-F2-SDK/7.40.00.77
- [2] SimpleLink Low Power F3 SDK (7.40.00.64) Version: 7.40.00.64 Release date: 28 Dec 2023: https://www.ti.com/tool/download/SIMPLELINK-LOWPOWER-F3-SDK/7.40.00.64
Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .
Revision History
- 31 May 2024: Fixed product name in affected products
- 28 May 2024: Initial Publication
Appendix
Appendix
We would like to thank Kevin Mitchell, from ETAS Inc., for reporting this vulnerability and working toward a coordinated disclosure.