CVE-2020-10134 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-10134 Interim 1 15 2023-02-13T01:10:09Z current 2022-04-19T15:34:07Z 2023-02-13T01:10:09Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-10134 Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates different pairing methods in each peer device and an end-user erroneously completes both pairing procedures with the MITM using the confirmation number of one peer as the passkey of the other. An adjacent, unauthenticated attacker could be able to initiate any Bluetooth operation on either attacked device exposed by the enabled Bluetooth profiles. This exposure may be limited when the user must authorize certain access explicitly, but so long as a user assumes that it is the intended remote device requesting permissions, device-local protections may be weakened. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise Server 12 SP4 bluez libbluetooth3 bluez as a component of SUSE Linux Enterprise High Performance Computing 12 SP4 bluez as a component of SUSE Linux Enterprise Server 12 SP4 libbluetooth3 as a component of SUSE Linux Enterprise Server 12 SP4 Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates different pairing methods in each peer device and an end-user erroneously completes both pairing procedures with the MITM using the confirmation number of one peer as the passkey of the other. An adjacent, unauthenticated attacker could be able to initiate any Bluetooth operation on either attacked device exposed by the enabled Bluetooth profiles. This exposure may be limited when the user must authorize certain access explicitly, but so long as a user assumes that it is the intended remote device requesting permissions, device-local protections may be weakened. CVE-2020-10134 SUSE Linux Enterprise High Performance Computing 12 SP4:bluez SUSE Linux Enterprise Server 12 SP4:bluez SUSE Linux Enterprise Server 12 SP4:libbluetooth3 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N 5.9 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L