CVE-2019-17517

The Bluetooth Low Energy implementation on Dialog Semiconductor SDK through 5.0.4 for DA14580/1/2/3 devices does not properly restrict the L2CAP payload length, allowing attackers in radio range to cause a buffer overflow via a crafted Link Layer packet.

Recent assessments:

pbarry25 at April 25, 2020 7:47pm UTC reported:

This vuln is part of a related batch named SweynTooth from researchers at the Singapore University of Technology and Design. The SweynTooth vulnerabilities lie within certain Bluetooth Low Energy (BLE) SDKs for Systems-on-a-Chip (SoC), which can make proliferating fixes to affected devices in the field a slow going.

Vulnerable devices need to be within BLE radio range in order for an attacker to target. A successful exploit can leave the target in a crashed state or force a restart, triggered by sending the vulnerable device Logical Link Control and Adaptation Layer Protocol (L2CAP) packets containing a Link Layer Length (LL Length) value less than L2CAP Length + 4, resulting in a Buffer Overflow (BOF) condition on the target. A detailed explanation can be found here in the original disclosure, as well as some potentially vulnerable devices in this list. Due to the nature of the vulnerability being a BOF leaves the door open for further exploration to potentially gain code execution on a vulnerable target. It appears the SoC manufacturer has issued some fixes for their vulnerable SDK(s).

EDIT: Attacker Value for this item largely depends on the type of device the vulnerable target is and behavior the device exhibits when successfully exploited.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4