CVE-2018-5383

HIGH8.0

Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange

Published Aug 7, 2018

Modified 1 years ago

Details

Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.

References

WEBhttp://www.cs.technion.ac.il/~biham/BT/WEBhttp://www.securityfocus.com/bid/104879 WEBhttp://www.securitytracker.com/id/1041432 ADVISORYhttps://access.redhat.com/errata/RHSA-2019:2169 WEBhttps://lists.debian.org/debian-lts-announce/2019/04/msg00005.html ADVISORYhttps://usn.ubuntu.com/4094-1/ADVISORYhttps://usn.ubuntu.com/4095-1/ADVISORYhttps://usn.ubuntu.com/4095-2/ADVISORYhttps://usn.ubuntu.com/4118-1/ADVISORYhttps://usn.ubuntu.com/4351-1/WEBhttps://www.bluetooth.com/news/unknown/2018/07/bluetooth-sig-security-update ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2018-5383 ADVISORYhttps://www.kb.cert.org/vuls/id/304725

CVSS Analysis

CVSS v3.0

8.0

Exploitability

Attack Vector

AdjacentAV:A

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

NoneA:N

8/CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Weakness Type (CWE)

Other

CWE-325

Ecosystems

Timeline

PublishedAug 7, 2018

ModifiedSep 16, 2024