Multiple Vulnerabilities Affecting Bluetooth Devices

Published on 31 Aug 2021

Updated on 06 Sep 2021

Researchers from the Singapore University of Technology and Design (SUTD) have discovered multiple vulnerabilities affecting devices utilising specific Bluetooth Link Manager Protocols that could allow an attacker in the radio range to trigger deadlocks, crashes or execute arbitrary code.

Affected devices include Internet of Things (IoT) devices such as smart home hubs, modules, smartphones, laptops and audio devices that utilise vulnerable Bluetooth classic implementations. The affected manufacturers include Espressif Systems, Harman International, Infineon, Silabs, Bluetrum, Zhuhai Jieli Technology, Actions Technology, Qualcomm, Texas Instruments and Intel.


For those vulnerabilities without assigned CVSS scores, please visit NVD for the updated CVSS vulnerabilities entries.

The table below provides information on the specific vulnerabilities: 


CVE Number Description CVSS Score Affected Manufacturers

CVE-2021-28139

Type of Vulnerability: Remote Code Execution / Deadlock

Vulnerability Name: Feature Pages Execution

Impact: Successful exploitation of this vulnerability could execute arbitrary functions or even cause a deadlock in which a manual restart would be required

 - 

Espressif Systems 

 CVE-2021-34144

Type of Vulnerability: Deadlock

Vulnerability Name: Truncated SCO Link Request

Impact: Successful exploitation of this vulnerability could disrupt the Bluetooth connection and prevent external devices from connecting to the device

 - 

Zhuhai Jieli Technology 

CVE-2021-28136 

Type of Vulnerability: Crash

Vulnerability Name: Duplicated IOCAP

Impact: Successful exploitation of this vulnerability could crash the device and result in denial-of-service

 -  Espressif Systems  

CVE-2021-28135

CVE-2021-28155

CVE-2021-31717

Type of Vulnerability: Crash

Vulnerability Name: Feature Response Flooding

Impact: Successful exploitation of this vulnerability could crash the device

 -   Espressif Systems,
Harman International,
Actions Technology
 

CVE-2021-31609

CVE-2021-31612 

Type of Vulnerability: Crash

Vulnerability Name: LMP Auto Rate Overflow

Impact: Successful exploitation of this vulnerability could crash the device and result in denial-of-service

 -   Silabs,  
Zhuhai Jieli Technology
 TBA

Type of Vulnerability: Deadlock

Vulnerability Name: LMP 2-DH1 Overflow

Impact: Successful exploitation of this vulnerability could disrupt the Bluetooth connection or even cause a deadlock in which a manual restart would be required

 -   Qualcomm 
CVE-2021-34150 

Type of Vulnerability: Deadlock

Vulnerability Name: LMP DM1 Overflow

Impact: Successful exploitation of this vulnerability could disrupt the Bluetooth connection and prevent external devices from connecting to the device

 -  Bluetrum 
CVE-2021-31613 

Type of Vulnerability: Crash

Vulnerability Name: Truncated LMP Accepted

Impact: Successful exploitation of this vulnerability could crash the device

 -  Zhuhai Jieli Technology 
 CVE-2021-31611

Type of Vulnerability: Deadlock

Vulnerability Name: Invalid Setup Complete

Impact: Successful exploitation of this vulnerability could disrupt the Bluetooth connection and result in denial-of-service

 -    Zhuhai Jieli Technology
 CVE-2021-31785

Type of Vulnerability: Deadlock

Vulnerability Name: Host Connection Flooding

Impact: Successful exploitation of this vulnerability could disrupt the Bluetooth connection and result in denial-of-service

 -   Actions Technology 
CVE-2021-31786 

Type of Vulnerability: Deadlock

Vulnerability Name: Same Host Connection

Impact: Successful exploitation of this vulnerability could disrupt the Bluetooth connection or even cause a deadlock in which a manual restart would be required

 -   Actions Technology  

CVE-2021-31610

CVE-2021-34149

CVE-2021-34146

CVE-2021-34143 

Type of Vulnerability: Crash / Deadlock

Vulnerability Name: LMP AU Rand Flooding

Impact: Successful exploitation of this vulnerability could crash the device or cause a deadlock in which a manual restart would be required

 -   Bluetrum,
Texas Instruments,
Infineon,
Zhuhai Jieli Technology
 
CVE-2021-34145 

Type of Vulnerability: Crash

Vulnerability Name: Invalid Max Slot Type

Impact: Successful exploitation of this vulnerability could crash the device

 -   Infineon
 CVE-2021-34148

Type of Vulnerability: Crash

Vulnerability Name: Max Slot Length Overflow

Impact: Successful exploitation of this vulnerability could crash the device

 -   Infineon
CVE-2021-34147, TBA
 
 

Type of Vulnerability: Crash

Vulnerability Name: Invalid Timing Accuracy

Impact: Successful exploitation of this vulnerability could crash the device or result in denial-of-service

 -   Intel,
Qualcomm,
Infineon
 
 TBA

Type of Vulnerability: Deadlock

Vulnerability Name: Paging Scan Disable

Impact: Successful exploitation of this vulnerability could disrupt the Bluetooth connection and result in denial-of-service

 -    Intel

Users and administrators of the affected products are advised to install the latest security updates from the respective manufacturers immediately.

If the updates are not available, users and administrators are encouraged to refer to the respective manufacturers’ website regularly for updates and recommended actions. Where practical, they could also consider turning off the device's Bluetooth communications protocol when not in use as a temporary mitigation measure.

Information for the available security updates are as follows:

 

More information is available here:

https://asset-group.github.io/disclosures/braktooth