Bluetooth® Low Energy Vulnerabilities - SweynTooth

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bluetooth® Low Energy Vulnerabilities - SweynTooth

asim_zaidi
NXP Employee
NXP Employee
3 0 1,674

Summary

 

NXP PSIRT was informed by security researchers about two Denial of Service (DoS) vulnerabilities which can cause crashes or message-dependent deadlocks in certain Bluetooth Low Energy (Bluetooth LE) implementations of the MCUXpresso Software Development Kit (SDK). The specific software vulnerabilities are:

 

  • Link Layer Length Overflow (CVE-2019-17519) 

If the SoC receives a Bluetooth LE Link Layer (LL) packet with a length greater than expected, the packet is not discarded and causes the SoC to crash.

 

  • Link Layer Deadlock (CVE-2019-17060) 

If the SoC receives a Bluetooth LE packet with a Link Layer ID (LLID) = 0, then memory content adjacent to the packet receiving buffer is overwritten, which causes the Bluetooth LE stack to malfunction and enter in deadlock.

 

Required Conditions

 

 Exploiting these software vulnerabilities requires the following conditions to be in place:

 

  • Use of previous impacted versions of the MCUXpresso SDK offering Bluetooth LE support  (refer to the table below) 
  • An attacker would need to be within radio range of the devices to perform these exploits

 

Mitigation

 

NXP has released updated MCUXpresso SDKs with mitigations to address these specific software vulnerabilities and recommends users to update any impacted solutions to the latest respective MCUXpresso SDK versions.

 

Devices MCUXpresso SDK Version with the Mitigations

MKW41Zxxxxxxxx 

MKW31Zxxxxxxxx

2.2.1  (Released 2019-11-28)

MKW39xxxxxxxx

MKW38xxxxxxxx

MKW37xxxxxxxx

2.6.2  (Released 2019-12-20)

MKW36xxxxxxxx

MKW35xxxxxxxx

MKW34xxxxxxxx

2.2.2  (Released 2019-12-06)

 

NOTE:  MCUXpresso SDK mitigations for MKW40xxxxx/MKW30xxxxx and K32Wxxxxx devices will be released separately. Other products in our Bluetooth LE portfolio are being analyzed and any future updates will be published on this page.

 

NOTE: Customers who have previously downloaded the MCUXpresso SDK and have the notification preferences turned on (default), should have automatically received an update on the latest MCUXpresso SDK releases. 

 

SDK preferences.pngicon_sdk.png

Please have the Content update checkbox ticked to allow notifications for future MCUXpresso SDK updates.

 

Impact

 

The SweynTooth series of vulnerabilities impact many Bluetooth LE stack implementations from other software and device suppliers. NXP strongly encourages users to review all Bluetooth LE stack implementations with their vendors to ensure that they are not impacted by these vulnerabilities.

 

NXP recommends users review these descriptions for their specific use cases to ascertain any impact to their own products or end customers and take any necessary actions.

 

 

Acknowledgments

 

NXP PSIRT would also like to thank Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang of the Singapore University of Technology and Design for their responsible disclosure.

 

Additional Information

 

For additional questions or support please contact your local NXP representative or submit a ticket at https://support.nxp.com/

 

 

______________________________________________________________________________________________

Please note this information is preliminary and subject to change. To the best of NXP's knowledge, the information contained herein is accurate and reliable as of the date of publication; however, NXP does not assume any liability for the accuracy and completeness of the information.

 

Information in this document is provided solely to enable system and software implementers to use NXP products. There are no express or implied copyright licenses granted hereunder to design or fabricate any integrated circuits based on the information in this document. NXP reserves the right to make changes without further notice to any products herein. NXP makes no warranty, representation, or guarantee regarding the suitability of its products for any particular purpose, nor does NXP assume any liability arising out of the application or use of any product or circuit, and specifically disclaims any and all liability, including without limitation consequential or incidental damages. “Typical” parameters that may be provided in NXP data sheets and/or specifications can and do vary in different applications, and actual performance may vary over time. All operating parameters, including “typicals,” must be validated for each customer application by customerʼs technical experts. NXP does not convey any license under its patent rights nor the rights of others. NXP sells products pursuant to standard terms and conditions of sale, which can be found at the following address: nxp.com/SalesTermsandConditions.

While NXP has implemented advanced security features, all products may be subject to unidentified vulnerabilities. Customers are responsible for the design and operation of their applications and products to reduce the effect of these vulnerabilities on customer's applications and products, and NXP accepts no liability for any vulnerability that is discovered. Customers should implement appropriate design and operating safeguards to minimize the risks associated with their applications and products.