Vulnerability-Lookup

CNVD-2020-46235

Vulnerability from cnvd - Published: 2020-08-16

Title

Nordic Semiconductor Android BLE Library和DFU Library存在未明漏洞

Description

Nordic Semiconductor Android BLE Library和Nordic Semiconductor Android DFU Library都是挪威Nordic Semiconductor公司的产品。Nordic Semiconductor Android BLE Library是一款蓝牙低功耗（BLE）库。Nordic Semiconductor Android DFU Library是一款DFU（设备固件更新）功能库。 Nordic Semiconductor Android BLE Library 2.2.1及之前版本和DFU Library 1.10.4及之前版本（由nRF Connect和其他应用程序使用）存在安全漏洞，该漏洞源于设备进行了未加密的通信（用户认为该通信已加密）。攻击者可利用该漏洞获取敏感信息。

Severity

低

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.nordicsemi.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-15509

Impacted products

Name
['Nordic Semiconductor DFU Library <=1.10.4', 'Nordic Semiconductor Android BLE Library <=2.2.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15509"
    }
  },
  "description": "Nordic Semiconductor Android BLE Library\u548cNordic Semiconductor Android DFU Library\u90fd\u662f\u632a\u5a01Nordic Semiconductor\u516c\u53f8\u7684\u4ea7\u54c1\u3002Nordic Semiconductor Android BLE Library\u662f\u4e00\u6b3e\u84dd\u7259\u4f4e\u529f\u8017\uff08BLE\uff09\u5e93\u3002Nordic Semiconductor Android DFU Library\u662f\u4e00\u6b3eDFU\uff08\u8bbe\u5907\u56fa\u4ef6\u66f4\u65b0\uff09\u529f\u80fd\u5e93\u3002\n\nNordic Semiconductor Android BLE Library 2.2.1\u53ca\u4e4b\u524d\u7248\u672c\u548cDFU Library 1.10.4\u53ca\u4e4b\u524d\u7248\u672c\uff08\u7531nRF Connect\u548c\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\uff09\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8bbe\u5907\u8fdb\u884c\u4e86\u672a\u52a0\u5bc6\u7684\u901a\u4fe1\uff08\u7528\u6237\u8ba4\u4e3a\u8be5\u901a\u4fe1\u5df2\u52a0\u5bc6\uff09\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.nordicsemi.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-46235",
  "openTime": "2020-08-16",
  "products": {
    "product": [
      "Nordic Semiconductor DFU Library \u003c=1.10.4",
      "Nordic Semiconductor Android BLE Library \u003c=2.2.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15509",
  "serverity": "\u4f4e",
  "submitTime": "2020-07-08",
  "title": "Nordic Semiconductor Android BLE Library\u548cDFU Library\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2020-15509 (GCVE-0-2020-15509)

Vulnerability from cvelistv5 – Published: 2020-07-07 13:56 – Updated: 2024-08-04 13:15

Summary

Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. The problem is in bond creation (e.g., internalCreateBond in BleManagerHandler).

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/NordicSemiconductor/Android-BL…	x_refsource_MISC
	https://github.com/NordicSemiconductor/Android-DF…	x_refsource_MISC
	https://secretdiary.ninja/index.php/2020/07/03/no…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:15:20.766Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/NordicSemiconductor/Android-BLE-Library/commits/master"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/NordicSemiconductor/Android-DFU-Library/commits/release"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://secretdiary.ninja/index.php/2020/07/03/norec-attack-stripping-ble-encryption-from-nordicsemis-android-library-cve-2020-15509/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. The problem is in bond creation (e.g., internalCreateBond in BleManagerHandler)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-07T13:56:47",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NordicSemiconductor/Android-BLE-Library/commits/master"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NordicSemiconductor/Android-DFU-Library/commits/release"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://secretdiary.ninja/index.php/2020/07/03/norec-attack-stripping-ble-encryption-from-nordicsemis-android-library-cve-2020-15509/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-15509",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. The problem is in bond creation (e.g., internalCreateBond in BleManagerHandler)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/NordicSemiconductor/Android-BLE-Library/commits/master",
              "refsource": "MISC",
              "url": "https://github.com/NordicSemiconductor/Android-BLE-Library/commits/master"
            },
            {
              "name": "https://github.com/NordicSemiconductor/Android-DFU-Library/commits/release",
              "refsource": "MISC",
              "url": "https://github.com/NordicSemiconductor/Android-DFU-Library/commits/release"
            },
            {
              "name": "https://secretdiary.ninja/index.php/2020/07/03/norec-attack-stripping-ble-encryption-from-nordicsemis-android-library-cve-2020-15509/",
              "refsource": "MISC",
              "url": "https://secretdiary.ninja/index.php/2020/07/03/norec-attack-stripping-ble-encryption-from-nordicsemis-android-library-cve-2020-15509/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-15509",
    "datePublished": "2020-07-07T13:56:47",
    "dateReserved": "2020-07-02T00:00:00",
    "dateUpdated": "2024-08-04T13:15:20.766Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-46235

CVE-2020-15509 (GCVE-0-2020-15509)

Tags

Sightings

Nomenclature