Vulnerabilities > CVE-2022-25837 - Authentication Bypass by Capture-replay vulnerability in Bluetooth Core Specification

CVSS 7.5 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

high complexity

bluetooth

CWE-294

NVD

Published: 2022-12-12

Updated: 2022-12-14

Summary

Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.

Vulnerable Configurations

Part	Description	Count
Application	Bluetooth Bluetooth Bluetooth Core Specification 1.1B Bluetooth Bluetooth Core Specification 1.2 Bluetooth Bluetooth Core Specification 2.0 Bluetooth Bluetooth Core Specification 2.1 Bluetooth Bluetooth Core Specification 3.0 Bluetooth Bluetooth Core Specification 4.0 Bluetooth Bluetooth Core Specification 4.1 Bluetooth Bluetooth Core Specification 4.2 Bluetooth Bluetooth Core Specification 5.0 Bluetooth Bluetooth Core Specification 5.1 Bluetooth Bluetooth Core Specification 5.2 Bluetooth Bluetooth Core Specification 5.3	12

Common Weakness Enumeration (CWE)

CWE-294 - Authentication Bypass by Capture-replay

Common Attack Pattern Enumeration and Classification (CAPEC)

Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
Man in the Middle Attack
This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

References

https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/