Security Alert (A21-09-03): Multiple Vulnerabilities in Bluetooth devices

Description:

Multiple vulnerabilities, collectively known as BrakTooth, are found in the implementation of Bluetooth SoC boards from multiple vendors. An attacker within wireless range of the vulnerable Bluetooth devices could send a specially crafted Bluetooth Link Manager Protocol (LMP) packet to exploit the vulnerabilities.

Affected Systems:

• Devices equipped with Bluetooth system-on-chip (SoC)

It is strongly recommended to consult the product supplier and/or device manufacturer if the systems or devices are affected.

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial-of-service or arbitrary code execution.

Recommendation:

System administrators and users should check with their product vendors to confirm if their devices are affected and the availability of patches. System administrators and users should apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.

List of affected vendors are made available in the following URL:
https://asset-group.github.io/disclosures/braktooth/

As a security best practice, Bluetooth on affected devices should be disabled when not in use.

More Information:

• https://asset-group.github.io/disclosures/braktooth/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28135
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28136
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28139
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28155
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31609 (to CVE-2021-31613)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31717
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31785
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31786
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34143 (to CVE-2021-34150)