CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11957
https://notcve.org/view.php?id=CVE-2020-11957
The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing. La implementación de Bluetooth Low Energy en el componente Cypress PSoC Creator BLE 4.2 versiones anteriores a 3.64, genera un número aleatorio (Pairing Random) con significativamente menos entropía que los 128 bits especificados durante el emparejamiento BLE. Este es el caso tanto para el emparejamiento autenticado como para el autenticado con LE Secure Connections y LE Legacy Pairing. • https://www.cypress.com/file/504466/download • CWE-331: Insufficient Entropy •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-13916
https://notcve.org/view.php?id=CVE-2019-13916
An issue was discovered in Cypress (formerly Broadcom) WICED Studio 6.2 CYW20735B1 and CYW20819A1. As a Bluetooth Low Energy (BLE) packet is received, it is copied into a Heap (ThreadX Block) buffer. The buffer allocated in dhmulp_getRxBuffer is four bytes too small to hold the maximum of 255 bytes plus headers. It is possible to corrupt a pointer in the linked list holding the free buffers of the g_mm_BLEDeviceToHostPool Block pool. This pointer can be fully controlled by overflowing with 3 bytes of packet data and the first byte of the packet CRC checksum. • https://community.cypress.com/thread/53681 https://github.com/seemoo-lab/frankenstein/blob/master/doc/CVE_2019_13916.md • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 2CVE-2019-16336
https://notcve.org/view.php?id=CVE-2019-16336
The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame. La implementación de Bluetooth Low Energy en el plugin Cypress PSoC 4 BLE versiones 3.61 y anteriores, procesa tramas de canal de datos con una longitud de carga útil mayor que el tamaño de carga útil RX máximo de la capa de enlace configurada, lo que permite a atacantes (dentro del radio de alcance) causar una denegación de servicio (bloqueo) por medio de una trama BLE Link Layer diseñado. • https://asset-group.github.io/disclosures/sweyntooth https://community.cypress.com/thread/48573 https://community.cypress.com/thread/53680 https://www.youtube.com/watch?v=Iw8sIBLWE_w • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17061
https://notcve.org/view.php?id=CVE-2019-17061
The Bluetooth Low Energy (BLE) stack implementation on Cypress PSoC 4 through 3.62 devices does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame. La implementación de la pila de Bluetooth Low Energy (BLE) en dispositivos Cypress PSoC 4 versiones hasta 3.62, no restringe apropiadamente el encabezado BLE Link Layer y ejecuta determinados contenidos de memoria tras recibir un paquete con un Link Layer ID (LLID) igual a cero. Esto permite a atacantes dentro del radio de alcance causar puntos muertos, causar un comportamiento anómalo en la máquina de estado BLE o desencadenar un desbordamiento del búfer por medio de una trama BLE Link Layer diseñada. • https://asset-group.github.io/disclosures/sweyntooth https://community.cypress.com/thread/53680 https://www.cypress.com/products/ble-bluetooth • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 126EXPL: 0CVE-2018-19860
https://notcve.org/view.php?id=CVE-2018-19860
Broadcom firmware before summer 2014 on Nexus 5 BCM4335C0 2012-12-11, Raspberry Pi 3 BCM43438A1 2014-06-02, and unspecifed other devices does not properly restrict LMP commnds and executes certain memory contents upon receiving an LMP command, as demonstrated by executing an HCI command. Fue encontrada una Vulnerabilidad en el firmware de Broadcom anterior al verano 2014 en Nexus 5 BCM4335C0 11-12-2012, Raspberry PI 3 BCM43438A1 02-06-2014 y otros dispositivos sin especificar, no restringe correctamente los comandos LMP y ejecuta ciertos contenidos de memoria al recibir un comando LMP, como es demostrado al ejecutar un comando HCI. • http://seclists.org/fulldisclosure/2019/Aug/11 http://seclists.org/fulldisclosure/2019/Jul/22 https://seclists.org/bugtraq/2019/Aug/21 https://source.android.com/security/bulletin/2019-05-01 https://support.apple.com/kb/HT210348 https://www.broadcom.com/support/resources/product-security-center • CWE-732: Incorrect Permission Assignment for Critical Resource •