CVE-2019-9506

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
certccCNA
7.6 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
googleandroid
-
appleiphone_os
12.4
applemac_os_x
10.12.6
applemac_os_x
10.13.6
applemac_os_x
10.14.5
appletvos
12.4
applewatchos
5.3
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.04
debiandebian_linux
8.0
opensuseleap
15.0
opensuseleap
15.1
redhatmrg_realtime
2.0
redhatvirtualization_host_eus
4.2
redhatenterprise_linux
8.0
redhatenterprise_linux_aus
7.5
redhatenterprise_linux_eus
7.6
redhatenterprise_linux_eus
7.7
redhatenterprise_linux_eus
8.1
redhatenterprise_linux_eus
8.2
redhatenterprise_linux_eus
8.4
redhatenterprise_linux_for_real_time_eus
8.2
redhatenterprise_linux_for_real_time_eus
8.4
redhatenterprise_linux_for_real_time_for_nfv_eus
8.2
redhatenterprise_linux_for_real_time_for_nfv_eus
8.4
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.3
redhatenterprise_linux_server_aus
7.4
redhatenterprise_linux_server_aus
7.6
redhatenterprise_linux_server_aus
7.7
redhatenterprise_linux_server_aus
8.2
redhatenterprise_linux_server_aus
8.4
redhatenterprise_linux_server_tus
7.3
redhatenterprise_linux_server_tus
7.4
redhatenterprise_linux_server_tus
7.6
redhatenterprise_linux_server_tus
7.7
redhatenterprise_linux_server_tus
8.2
redhatenterprise_linux_server_tus
8.4
redhatenterprise_linux_tus
7.6
huaweialp-al00b_firmware
𝑥
< 9.1.0.333\(c00e333r2p1t8\)
huaweiares-al00b_firmware
𝑥
< 9.1.0.160\(c00e160r2p5t8\)
huaweiares-al10d_firmware
𝑥
< 9.1.0.160\(c00e160r2p5t8\)
huaweiares-tl00c_firmware
𝑥
< 9.1.0.165\(c01e165r2p5t8\)
huaweiasoka-al00ax_firmware
𝑥
< 9.1.1.181\(c00e48r6p1\)
huaweiatomu-l33_firmware
𝑥
< 8.0.0.147\(c605custc605d1\)
huaweiatomu-l41_firmware
𝑥
< 8.0.0.153\(c461custc461d1\)
huaweiatomu-l42_firmware
𝑥
< 8.0.0.155\(c636custc636d1\)
huaweibla-al00b_firmware
𝑥
< 9.1.0.329\(c786e320r2p1t8\)
huaweibla-l29c_firmware
𝑥
< 9.1.0.300\(c605e2r1p12t8\)
huaweibla-tl00b_firmware
𝑥
< 9.1.0.329\(c01e320r1p1t8\)
huaweibarca-al00_firmware
𝑥
< 8.0.0.366\(c00\)
huaweiberkeley-al20_firmware
𝑥
< 9.1.0.333\(c00e333r2p1t8\)
huaweiberkeley-l09_firmware
𝑥
< 9.1.0.332\(c432e5r1p13t8\)
huaweiberkeley-tl10_firmware
𝑥
< 9.1.0.333\(c01e333r1p1t8\)
huaweicharlotte-l29c_firmware
𝑥
< 9.1.0.311\(c605e2r1p11t8\)
huaweicolumbia-al10b_firmware
𝑥
< 9.1.0.333\(c00e333r1p1t8\)
huaweicolumbia-al10i_firmware
𝑥
< 9.1.0.335\(c675e8r1p9t8\)
huaweicolumbia-l29d_firmware
𝑥
< 9.1.0.350\(c10e5r1p14t8\)
huaweicolumbia-tl00d_firmware
𝑥
< 8.1.0.186\(c01gt\)
huaweicornell-al00a_firmware
𝑥
< 9.1.0.333\(c00e333r1p1t8\)
huaweicornell-al00i_firmware
𝑥
< 9.1.0.363\(c675e3r1p9t8\)
huaweicornell-al00ind_firmware
𝑥
< 8.2.0.141\(c675custc675d1gt\)
huaweicornell-al10ind_firmware
𝑥
< 9.1.0.363\(c675e2r1p9t8\)
huaweicornell-l29a_firmware
𝑥
< 9.1.0.336\(c636e2r1p12t8\)
huaweicornell-tl10b_firmware
𝑥
< 9.1.0.333\(c01e333r1p1t8\)
huaweidubai-al00a_firmware
𝑥
< 8.2.0.190\(c00r2p2\)
huaweidura-al00a_firmware
𝑥
< 1.0.0.182\(c00\)
huaweidura-tl00a_firmware
𝑥
< 1.0.0.176\(c01\)
huaweiemily-l29c_firmware
8.1.0.156\(c605\)
huaweiever-l29b_firmware
𝑥
< 9.1.0.338\(c185e3r3p1\)
huaweifigo-l23_firmware
𝑥
< 9.1.0.160\(c605e6r1p5t8\)
huaweifigo-l31_firmware
8.0.0.122d\(c652\):d
huaweifigo-tl10b_firmware
𝑥
< 9.1.0.130\(c01e115r2p8t8\)
huaweiflorida-al20b_firmware
𝑥
< 9.1.0.128\(c00e112r1p6t8\)
huaweiflorida-l21_firmware
𝑥
< 9.1.0.150\(c185e6r1p5t8\)
huaweiflorida-l22_firmware
𝑥
< 9.1.0.150\(c636e6r1p5t8\)
huaweiflorida-l23_firmware
𝑥
< 9.1.0.154\(c605e7r1p2t8\)
huaweiflorida-tl10b_firmware
𝑥
< 9.1.0.128\(c01e112r1p6t8\)
huaweihonor_20_firmware
𝑥
< 9.1.0.143\(c675e8r2p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.154\(c185e2r5p1\)
huaweimate_20_firmware
-
huaweimate_20_pro_firmware
-
huaweimate_20_x_firmware
-
huaweip_smart_firmware
-
huaweip_smart_2019_firmware
-
huaweip20_firmware
-
huaweip20_pro_firmware
-
huaweip30_firmware
-
huaweip30_pro_firmware
-
huaweiy5_2018_firmware
-
huaweiy5_lite_firmware
-
huaweiy6_2019_firmware
-
huaweiy6_prime_2018_firmware
-
huaweiy6_pro_2019_firmware
-
huaweiy7_2019_firmware
-
huaweiy9_2019_firmware
-
huaweinova_3_firmware
-
huaweinova_4_firmware
-
huaweinova_5_firmware
-
huaweinova_5i_pro_firmware
-
huaweinova_lite_3_firmware
-
huaweiharry-al00c_firmware
-
huaweiharry-al10b_firmware
-
huaweiharry-tl00c_firmware
-
huaweihima-l29c_firmware
-
huaweihonor_10_lite_firmware
-
huaweihonor_8a_firmware
-
huaweihonor_8x_firmware
-
huaweihonor_view_10_firmware
-
huaweihonor_view_20_firmware
-
huaweijakarta-al00a_firmware
-
huaweijohnson-tl00d_firmware
-
huaweijohnson-tl00f_firmware
-
huaweikatyusha-al00a_firmware
-
huaweilaya-al00ep_firmware
-
huaweileland-l21a_firmware
-
huaweileland-l31a_firmware
-
huaweileland-l32a_firmware
-
huaweileland-l32c_firmware
-
huaweileland-l42a_firmware
-
huaweileland-l42c_firmware
-
huaweileland-tl10b_firmware
-
huaweileland-tl10c_firmware
-
huaweilelandp-al00c_firmware
-
huaweilelandp-al10b_firmware
-
huaweilelandp-al10d_firmware
-
huaweilelandp-l22a_firmware
-
huaweilelandp-l22c_firmware
-
huaweilelandp-l22d_firmware
-
huaweilondon-al40ind_firmware
-
huaweimadrid-al00a_firmware
-
huaweimadrid-tl00a_firmware
-
huaweineo-al00d_firmware
-
huaweiparis-al00ic_firmware
-
huaweiparis-l21b_firmware
-
huaweiparis-l21meb_firmware
-
huaweiparis-l29b_firmware
-
huaweipotter-al00c_firmware
-
huaweipotter-al10a_firmware
-
huaweiprinceton-al10b_firmware
-
huaweiprinceton-al10d_firmware
-
huaweiprinceton-tl10c_firmware
-
huaweisydney-al00_firmware
-
huaweisydney-l21_firmware
-
huaweisydney-l21br_firmware
-
huaweisydney-l22_firmware
-
huaweisydney-l22br_firmware
-
huaweisydney-tl00_firmware
-
huaweisydneym-al00_firmware
-
huaweisydneym-l01_firmware
-
huaweisydneym-l03_firmware
-
huaweisydneym-l21_firmware
-
huaweisydneym-l22_firmware
-
huaweisydneym-l23_firmware
-
huaweitony-al00b_firmware
-
huaweitony-tl00b_firmware
-
huaweiyale-al00a_firmware
-
huaweiyale-al50a_firmware
-
huaweiyale-l21a_firmware
-
huaweiyale-l61c_firmware
-
huaweiyale-tl00b_firmware
-
huaweiyalep-al10b_firmware
-
huaweiimanager_neteco_firmware
-
huaweiimanager_neteco_6000_firmware
-
huaweibla-l29c_firmware
𝑥
< 9.1.0.306\(c185e2r1p13t8\)
huaweibla-l29c_firmware
𝑥
< 9.1.0.306\(c432e4r1p11t8\)
huaweibla-l29c_firmware
𝑥
< 9.1.0.306\(c636e2r1p13t8\)
huaweibla-l29c_firmware
𝑥
< 9.1.0.307\(c635e4r1p13t8\)
huaweiberkeley-l09_firmware
𝑥
< 9.1.0.350\(c10e3r1p14t8\)
huaweiberkeley-l09_firmware
𝑥
< 9.1.0.350\(c636e4r1p13t8\)
huaweicharlotte-l29c_firmware
𝑥
< 9.1.0.325\(c185e4r1p11t8\)
huaweicharlotte-l29c_firmware
𝑥
< 9.1.0.325\(c636e2r1p12t8\)
huaweicharlotte-l29c_firmware
𝑥
< 9.1.0.328\(c432e5r1p9t8\)
huaweicharlotte-l29c_firmware
𝑥
< 9.1.0.328\(c782e10r1p9t8\)
huaweicolumbia-l29d_firmware
𝑥
< 9.1.0.350\(c185e3r1p12t8\)
huaweicolumbia-l29d_firmware
𝑥
< 9.1.0.350\(c461e3r1p11t8\)
huaweicolumbia-l29d_firmware
𝑥
< 9.1.0.350\(c636e3r1p13t8\)
huaweicolumbia-l29d_firmware
𝑥
< 9.1.0.351\(c432e5r1p13t8\)
huaweicornell-l29a_firmware
𝑥
< 9.1.0.341\(c185e1r1p9t8\)
huaweicornell-l29a_firmware
𝑥
< 9.1.0.342\(c461e1r1p9t8\)
huaweicornell-l29a_firmware
𝑥
< 9.1.0.347\(c432e1r1p9t8\)
huaweiemily-l29c_firmware
𝑥
< 9.1.0.311\(c461e2r1p11t8\)
huaweiemily-l29c_firmware
𝑥
< 9.1.0.325\(c185e2r1p12t8\)
huaweiemily-l29c_firmware
𝑥
< 9.1.0.325\(c636e7r1p13t8\)
huaweiemily-l29c_firmware
𝑥
< 9.1.0.326\(c635e2r1p11t8\)
huaweiemily-l29c_firmware
𝑥
< 9.1.0.328\(c432e7r1p11t8\)
huaweifigo-l31_firmware
𝑥
< 9.1.0.122\(c09e7r1p5t8\)
huaweifigo-l31_firmware
𝑥
< 9.1.0.137\(c33e8r1p5t8\)
huaweifigo-l31_firmware
𝑥
< 9.1.0.137\(c530e8r1p5t8\)
huaweifigo-l31_firmware
𝑥
< 9.1.0.158\(c432e8r1p5t8\)
huaweifigo-l31_firmware
𝑥
< 9.1.0.165\(c10e8r1p5t8\)
huaweiflorida-l21_firmware
𝑥
< 9.1.0.150\(c432e6r1p5t8\)
huaweihonor_20_firmware
𝑥
< 9.1.0.149\(c675e8r2p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.154\(c185e2r5p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.154\(c432e2r5p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.154\(c636e2r3p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.155\(c10e2r3p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.170\(c185e2r5p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.170\(c636e2r3p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.171\(c10e2r3p1\)
huaweihonor_20_pro_firmware
𝑥
< 9.1.0.172\(c432e2r5p1\)
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.226-1
fixed
bookworm
6.1.106-3
fixed
bookworm (security)
6.1.112-1
fixed
trixie
6.11.5-1
fixed
sid
6.11.6-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
linux
focal
not-affected
eoan
not-affected
disco
Fixed 5.0.0-31.33
released
bionic
Fixed 4.15.0-60.67
released
xenial
Fixed 4.4.0-159.187
released
trusty
ignored
linux-aws
focal
not-affected
eoan
not-affected
disco
Fixed 5.0.0-1018.20
released
bionic
Fixed 4.15.0-1047.49
released
xenial
Fixed 4.4.0-1090.101
released
trusty
ignored
linux-aws-5.0
focal
dne
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-aws-hwe
focal
dne
eoan
dne
disco
dne
bionic
dne
xenial
Fixed 4.15.0-1047.49~16.04.1
released
trusty
dne
linux-azure
focal
not-affected
eoan
not-affected
disco
not-affected
bionic
not-affected
xenial
not-affected
trusty
ignored
linux-azure-5.3
focal
dne
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-azure-edge
focal
dne
eoan
dne
disco
dne
bionic
not-affected
xenial
not-affected
trusty
dne
linux-gcp
focal
not-affected
eoan
not-affected
disco
Fixed 5.0.0-1020.20
released
bionic
Fixed 4.15.0-1042.45
released
xenial
Fixed 4.15.0-1041.43
released
trusty
dne
linux-gcp-5.3
focal
dne
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-gcp-edge
focal
dne
eoan
dne
disco
dne
bionic
Fixed 4.15.0-1042.45
released
xenial
dne
trusty
dne
linux-gke-4.15
focal
dne
eoan
dne
disco
dne
bionic
Fixed 4.15.0-1041.43
released
xenial
dne
trusty
dne
linux-gke-5.0
focal
dne
eoan
dne
disco
dne
bionic
Fixed 5.0.0-1020.20~18.04.1
released
xenial
dne
trusty
dne
linux-gke-5.3
focal
dne
eoan
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-hwe
focal
dne
eoan
dne
disco
dne
bionic
Fixed 5.0.0-31.33~18.04.1
released
xenial
Fixed 4.15.0-60.67~16.04.1
released
trusty
dne
linux-hwe-edge
focal
dne
eoan
dne
disco
dne
bionic
ignored
xenial
Fixed 4.15.0-60.67~16.04.1
released
trusty
dne
linux-kvm
focal
not-affected
eoan
not-affected
disco
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
linux-lts-trusty
focal
dne
eoan
dne
disco
dne
bionic
dne
xenial
dne
trusty
dne
linux-lts-xenial
focal
dne
eoan
dne
disco
dne
bionic
dne
xenial
dne
trusty
ignored
linux-oem
focal
dne
eoan
Fixed 4.15.0-1059.68
released
disco
ignored
bionic
Fixed 4.15.0-1056.65
released
xenial
ignored
trusty
dne
linux-oem-5.6
focal
not-affected
eoan
dne
bionic
dne
xenial
dne
trusty
dne
linux-oem-osp1
focal
dne
eoan
Fixed 5.0.0-1024.27
released
disco
ignored
bionic
Fixed 5.0.0-1024.27
released
xenial
dne
trusty
dne
linux-oracle
focal
not-affected
eoan
not-affected
disco
Fixed 5.0.0-1004.8
released
bionic
Fixed 4.15.0-1022.25
released
xenial
Fixed 4.15.0-1022.25~16.04.1
released
trusty
dne
linux-oracle-5.0
focal
dne
eoan
dne
disco
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-oracle-5.3
focal
dne
eoan
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-raspi2
focal
not-affected
eoan
not-affected
disco
Fixed 5.0.0-1019.19
released
bionic
Fixed 4.15.0-1044.47
released
xenial
Fixed 4.4.0-1118.127
released
trusty
dne
linux-raspi2-5.3
focal
dne
eoan
dne
bionic
not-affected
xenial
dne
trusty
dne
linux-snapdragon
focal
dne
eoan
dne
disco
Fixed 5.0.0-1023.24
released
bionic
Fixed 4.15.0-1062.69
released
xenial
Fixed 4.4.0-1122.128
released
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html
http://seclists.org/fulldisclosure/2019/Aug/11
http://seclists.org/fulldisclosure/2019/Aug/13
http://seclists.org/fulldisclosure/2019/Aug/14
http://seclists.org/fulldisclosure/2019/Aug/15
http://www.cs.ox.ac.uk/publications/publication12404-abstract.html
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190828-01-knob-en
https://access.redhat.com/errata/RHSA-2019:2975
https://access.redhat.com/errata/RHSA-2019:3055
https://access.redhat.com/errata/RHSA-2019:3076
https://access.redhat.com/errata/RHSA-2019:3089
https://access.redhat.com/errata/RHSA-2019:3165
https://access.redhat.com/errata/RHSA-2019:3187
https://access.redhat.com/errata/RHSA-2019:3217
https://access.redhat.com/errata/RHSA-2019:3218
https://access.redhat.com/errata/RHSA-2019:3220
https://access.redhat.com/errata/RHSA-2019:3231
https://access.redhat.com/errata/RHSA-2019:3309
https://access.redhat.com/errata/RHSA-2019:3517
https://access.redhat.com/errata/RHSA-2020:0204
https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html
https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
https://usn.ubuntu.com/4115-1/
https://usn.ubuntu.com/4118-1/
https://usn.ubuntu.com/4147-1/
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
https://www.kb.cert.org/vuls/id/918987/
https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html
http://seclists.org/fulldisclosure/2019/Aug/11
http://seclists.org/fulldisclosure/2019/Aug/13
http://seclists.org/fulldisclosure/2019/Aug/14
http://seclists.org/fulldisclosure/2019/Aug/15
http://www.cs.ox.ac.uk/publications/publication12404-abstract.html
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190828-01-knob-en
https://access.redhat.com/errata/RHSA-2019:2975
https://access.redhat.com/errata/RHSA-2019:3055
https://access.redhat.com/errata/RHSA-2019:3076
https://access.redhat.com/errata/RHSA-2019:3089
https://access.redhat.com/errata/RHSA-2019:3165
https://access.redhat.com/errata/RHSA-2019:3187
https://access.redhat.com/errata/RHSA-2019:3217
https://access.redhat.com/errata/RHSA-2019:3218
https://access.redhat.com/errata/RHSA-2019:3220
https://access.redhat.com/errata/RHSA-2019:3231
https://access.redhat.com/errata/RHSA-2019:3309
https://access.redhat.com/errata/RHSA-2019:3517
https://access.redhat.com/errata/RHSA-2020:0204
https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html
https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
https://usn.ubuntu.com/4115-1/
https://usn.ubuntu.com/4118-1/
https://usn.ubuntu.com/4147-1/
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
https://www.kb.cert.org/vuls/id/918987/
https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli