Linux Kernel Bluetooth Legacy STK Authentication Vulnerability in SMP

A vulnerability in the Linux kernel's Bluetooth implementation has been addressed, specifically in the Secure Simple Pairing (SMP) protocol. The issue arose because the legacy responder path incorrectly marked the Session Key (STK) as authenticated when the security level was set to high, based on the local service's request rather than the actual pairing outcome. In 'Just Works' or 'Confirm' legacy pairings, the STK should remain unauthenticated, as the 'Man-in-the-Middle' (MITM) authentication flag is not set. This vulnerability affects the Bluetooth Subsystem of the Linux Kernel.

Impact

This vulnerability could lead to improper authentication of the STK, potentially allowing for unauthorized access or actions in Bluetooth communications.

Reproduction

The vulnerability can be reproduced by initiating a 'Just Works' or 'Confirm' legacy pairing process over Bluetooth. During this process, the local service may request a high security level. After the pairing, the STK will incorrectly be marked as authenticated, despite the pairing flow not supporting MITM authentication. This can be verified by checking the authentication status of the STK after the pairing process is complete.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.