CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-34146
https://notcve.org/view.php?id=CVE-2021-34146
The Bluetooth Classic implementation in the Cypress CYW920735Q60EVB does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service and restart (crash) of the device by flooding it with LMP_AU_Rand packets after the paging procedure. Una implementación de Bluetooth Classic en el Cypress CYW920735Q60EVB no maneja apropiadamente la recepción de respuestas LMP continuas no solicitadas, permitiendo a atacantes en el rango de radio desencadenar una denegación de servicio y reinicio (crash) del dispositivo al inundarlo con paquetes LMP_AU_Rand después del procedimiento de paginación • https://dl.packetstormsecurity.net/papers/general/braktooth.pdf https://www.cypress.com/documentation/datasheets/cyw20735b1-single-chip-bluetooth-transceiver-wireless-input-devices •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34147
https://notcve.org/view.php?id=CVE-2021-34147
The Bluetooth Classic implementation in the Cypress WICED BT stack through 2.9.0 for CYW20735B1 does not properly handle the reception of a malformed LMP timing accuracy response followed by multiple reconnections to the link slave, allowing attackers to exhaust device BT resources and eventually trigger a crash via multiple attempts of sending a crafted LMP timing accuracy response followed by a sudden reconnection with a random BDAddress. Una implementación de Bluetooth Classic en la pila BT de Cypress WICED versiones hasta 2.9.0 para CYW20735B1, no maneja apropiadamente la recepción de una respuesta de precisión de tiempo LMP malformada seguida de múltiples reconexiones al esclavo de enlace, permitiendo a atacantes agotar los recursos BT del dispositivo y, finalmente, desencadenar un fallo por medio de múltiples intentos de envío de una respuesta de precisión de tiempo LMP diseñada seguida de una reconexión repentina con una dirección BDA aleatoria • https://dl.packetstormsecurity.net/papers/general/braktooth.pdf https://www.cypress.com/documentation/datasheets/cyw20735b1-single-chip-bluetooth-transceiver-wireless-input-devices •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34148
https://notcve.org/view.php?id=CVE-2021-34148
The Bluetooth Classic implementation in the Cypress WICED BT stack through 2.9.0 for CYW20735B1 devices does not properly handle the reception of LMP_max_slot with a greater ACL Length after completion of the LMP setup procedure, allowing attackers in radio range to trigger a denial of service (firmware crash) via a crafted LMP packet. Una implementación de Bluetooth Classic en la pila WICED BT de Cypress versiones hasta 2.9.0 para los dispositivos CYW20735B1, no maneja apropiadamente la recepción de LMP_max_slot con una longitud ACL mayor después de completar el procedimiento de configuración de LMP, permitiendo a atacantes en el rango de radio desencadenar una denegación de servicio (bloqueo del firmware) por medio de un paquete LMP diseñado • https://dl.packetstormsecurity.net/papers/general/braktooth.pdf https://www.cypress.com/documentation/datasheets/cyw20735b1-single-chip-bluetooth-transceiver-wireless-input-devices •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34145
https://notcve.org/view.php?id=CVE-2021-34145
The Bluetooth Classic implementation in the Cypress WICED BT stack through 2.9.0 for CYW20735B1 devices does not properly handle the reception of LMP_max_slot with an invalid Baseband packet type (and LT_ADDRESS and LT_ADDR) after completion of the LMP setup procedure, allowing attackers in radio range to trigger a denial of service (firmware crash) via a crafted LMP packet. Una implementación de Bluetooth Classic en la pila WICED BT de Cypress versiones hasta 2.9.0, para los dispositivos CYW20735B1 no maneja apropiadamente la recepción de LMP_max_slot con un tipo de paquete de banda base no válido (y LT_ADDRESS y LT_ADDR) tras la finalización del procedimiento de configuración de LMP, permitiendo a atacantes en el rango de radio desencadenar una denegación de servicio (bloqueo del firmware) por medio de un paquete LMP diseñado • https://dl.packetstormsecurity.net/papers/general/braktooth.pdf https://www.cypress.com/documentation/datasheets/cyw20735b1-single-chip-bluetooth-transceiver-wireless-input-devices •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-13916
https://notcve.org/view.php?id=CVE-2019-13916
An issue was discovered in Cypress (formerly Broadcom) WICED Studio 6.2 CYW20735B1 and CYW20819A1. As a Bluetooth Low Energy (BLE) packet is received, it is copied into a Heap (ThreadX Block) buffer. The buffer allocated in dhmulp_getRxBuffer is four bytes too small to hold the maximum of 255 bytes plus headers. It is possible to corrupt a pointer in the linked list holding the free buffers of the g_mm_BLEDeviceToHostPool Block pool. This pointer can be fully controlled by overflowing with 3 bytes of packet data and the first byte of the packet CRC checksum. • https://community.cypress.com/thread/53681 https://github.com/seemoo-lab/frankenstein/blob/master/doc/CVE_2019_13916.md • CWE-787: Out-of-bounds Write •