Linux Kernel Bluetooth Stack Pairing Response Vulnerability Allowing MITM Bypass

A vulnerability in the Linux kernel's Bluetooth stack has been addressed, specifically within the Simple Pairing (SMP) protocol. The issue arose because the function that handles pairing requests built the response based on the initiator's authentication requirements before verifying the local security level. If the initiator did not include the Man-In-The-Middle (MITM) authentication, the response could also omit it, creating a mismatch with the local pairing policy that required high security. This inconsistency could lead to improper method selection during the pairing process. The vulnerability affected several versions of the Linux kernel.

Impact

The vulnerability could allow a Bluetooth device to bypass MITM authentication requirements during the pairing process, potentially leading to unauthorized access or manipulation of data between devices.

Reproduction

To reproduce this vulnerability, initiate a Bluetooth pairing process with a device that does not include the MITM authentication in its authentication requirements. The responding device should be set to require high security. During the pairing process, the responding device will omit the MITM authentication, creating a mismatch with its security policy.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.