Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

  Bluetooth implementations may not sufficiently validate elliptic curve
               parameters during Diffie-Hellman key exchange
                               24 July 2018


        AusCERT Security Bulletin Summary

Product:           Bluetooth devices
Publisher:         CERT
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Apple iOS
Impact/Access:     Access Privileged Data         -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5383  

Reference:         ESB-2018.1987.2

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#304725

Bluetooth implementations may not sufficiently validate elliptic curve
parameters during Diffie-Hellman key exchange

Original Release date: 23 Jul 2018 | Last revised: 23 Jul 2018


Bluetooth firmware or operating system software drivers may not sufficiently
validate elliptic curve parameters used to generate public keys during a
Diffie-Hellman key exchange, which may allow a remote attacker to obtain the
encryption key used by the device.


CWE-325: Missing Required Cryptographic Step - CVE-2018-5383

Bluetooth utilizes a device pairing mechanism based on elliptic-curve
Diffie-Hellman (ECDH) key exchange to allow encrypted communication between
devices. The ECDH key pair consists of a private and a public key, and the
public keys are exchanged to produce a shared pairing key. The devices must
also agree on the elliptic curve parameters being used. Previous work on the
"Invalid Curve Attack" showed that the ECDH parameters are not always validated
before being used in computing the resulted shared key, which reduces attacker
effort to obtain the private key of the device under attack if the
implementation does not validate all of the parameters before computing the
shared key.

In some implementations, the elliptic curve parameters are not all validated by
the cryptographic algorithm implementation, which may allow a remote attacker
within wireless range to inject an invalid public key to determine the session
key with high probability. Such an attacker can then passively intercept and
decrypt all device messages, and/or forge and inject malicious messages.

Both Bluetooth low energy (LE) implementations of Secure Connections Pairing in
operating system software and BR/EDR implementations of Secure Simple Pairing
in device firmware may be affected. Bluetooth device users are encouraged to
consult with their device vendor for further information.

Since the vulnerability was identified, the Bluetooth SIG has updated the
Bluetooth specifications to require validation of any public key received as
part of public key-based security procedures, thereby providing a remedy to the
vulnerability from a specification perspective. In addition, the Bluetooth SIG
has added testing for this vulnerability within its Bluetooth Qualification
Program.  The Bluetooth SIG has also released a public statement regarding the


An unauthenticated, remote attacker within range may be able to utilize a
man-in-the-middle network position to determine the cryptographic keys used by
the device. The attacker can then intercept and decrypt and/or forge and inject
device messages.


Apply an update

Both software and firmware updates are expected over the coming weeks. Affected
users should check with their device vendor for availability of updates.
Further information for vendors is provided in the Vendor Status section below.

Vendor Information (Learn More)

          Vendor               Status    Date Notified Date Updated
Apple                       Affected     18 Jan 2018   23 Jul 2018
Broadcom                    Affected     18 Jan 2018   19 Jun 2018
Intel                       Affected     18 Jan 2018   23 Jul 2018
QUALCOMM Incorporated       Affected     18 Jan 2018   06 Feb 2018
Microsoft                   Not Affected 06 Feb 2018   20 Jul 2018
Android Open Source Project Unknown      18 Jan 2018   18 Jan 2018
Bluetooth SIG               Unknown      06 Feb 2018   06 Feb 2018
Google                      Unknown      19 Mar 2018   19 Mar 2018
Linux Kernel                Unknown      05 Mar 2018   05 Mar 2018

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

    Group     Score             Vector
Base          7.3   AV:A/AC:M/Au:N/C:C/I:C/A:N
Temporal      5.7   E:POC/RL:OF/RC:C
Environmental 5.7   CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND


  o https://www.bluetooth.com/news/unknown/2018/07/
  o http://cwe.mitre.org/data/definitions/325.html


Thanks to Lior Neumann and Eli Biham for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  o CVE IDs: CVE-2018-5383
  o Date Public: 23 Jul 2018
  o Date First Published: 23 Jul 2018
  o Date Last Updated: 23 Jul 2018
  o Document Revision: 62

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967