Realtek RTL8762E Bluetooth Low Energy Stack Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Bluetooth Low Energy (BLE) stack of Realtek RTL8762E BLE SDK version 1.4.0. This vulnerability allows attackers within Bluetooth range to disrupt device functionality by sending a specific sequence of crafted control packets. The targeted device may crash or become unresponsive, requiring a manual reset to recover.

Impact

Exploitation of this vulnerability leads to a system crash or communication stall, causing the device to become unresponsive and requiring a manual reboot.

Reproduction

To reproduce this vulnerability, flash a Realtek RTL8762E board with BLE SDK v1.4.0. Then, use a BLE testing tool to initiate a connection with the target device. Once connected, repeatedly send a crafted sequence of control packets, including 'LL_VERSION_IND', 'pairing_request', and multiple 'LL_LENGTH_REQ'/'LL_LENGTH_RSP' exchanges. Monitor the device for a crash or communication stall.

Remediation

It is recommended to add strict validation to the state machine for control packet handling, implement rate limiting to protect against repeated control procedures, and reject control packets that violate expected flow or resource limits.