The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Microsoft Designer Bluetooth Desktop Insufficient Memory Protection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2019-033
Product: Designer Bluetooth Desktop
Manufacturer: Microsoft
Affected Version(s): n/a
Tested Version(s): n/a
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-07-31
Solution Date: -
Public Disclosure: 2019-10-10
CVE Reference: Not assigned yet
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Microsoft Designer Bluetooth Desktop is a Bluetooth Low Energy (LE)
wireless desktop set consisting of a keyboard and a mouse.
The manufacturer describes the product as follows (see [1]):
"With its ultra-thin and modern look, the Designer Bluetooth Desktop
complements the look of your desk. It wirelessly pairs to your laptop or
tablet with the latest Bluetooth Smart technology - instantly connecting
without wires or dongles to manage. A full-sized keyboard with built-in
number pad and mouse will keep you productive at your desk."
Due to the insufficient protection of the flash memory of the keyboard,
an attacker with physical access has read and write access to the
firmware and the used cryptographic key.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that the embedded flash memory of the Microsoft
Designer Bluetooth Desktop keyboard can be read and written via the SWD
(Serial Wire Debug) interface of the used nRF51822 Bluetooth SoC [2] as
the flash memory is not protected by the offered readback protection
feature.
Thus, an attacker with physical access to the keyboard can simply read
and write the nRF51822 flash memory contents and either extract the
cryptographic key (Bluetooth LE Long Term Key), for instance, to
perform further attacks against the wireless communication, or modify
the firmware.
However, even if the readback protection of the nRF51822 was enabled,
an attacker would be able to read and write the flash memory contents by
bypassing the security feature as described in [3] and [4] with
slightly more effort.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
SySS GmbH could successfully read the nRF51822 flash memory contents of
the Microsoft Designer Bluetooth Desktop keyboard via the SWD interface
using a SEGGER J-Link PRO [5] debug probe in combination with SEGGER
J-Link Commander and extract the currently used cryptographic key (Long
Term Key).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
According to Microsoft, the reported security issue does not meet
the bar for servicing via a security update [6].
The described security issue may be fixed in future versions of the
product.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2019-07-31: Vulnerability reported to manufacturer
2019-08-01: Microsoft confirms receipt of security advisory
2019-08-06: Microsoft responds that the reported issue does not meet
the bar for servicing via a security update
2019-10-10: Public release of SySS security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Microsoft Designer Bluetooth Desktop
https://www.microsoft.com/accessories/en-us/products/keyboards/designer-bluetooth-desktop/7n9-00001
[2] nRF51822 Product Specification v3.1
https://infocenter.nordicsemi.com/pdf/nRF51822_PS_v3.1.pdf
[3] Kris Brosch, Include Security, Firmware dumping technique for an ARM Cortex-M0 SoC, 2015
https://blog.includesecurity.com/2015/11/NordicSemi-ARM-SoC-Firmware-dumping-technique.html
[4] Andrew Tierney, Pen Test Partners, NRF51822 code readout protection bypass - a how-to, 2018
https://www.pentestpartners.com/security-blog/nrf51822-code-readout-protection-bypass-a-how-to/
[5] Product website for Segger J-Link PRO
https://www.segger.com/products/debug-probes/j-link/models/j-link-pro/
[6] Microsoft Vulnerability Severity Classification for Windows
https://aka.ms/windowsbugbar
[7] SySS Security Advisory SYSS-2019-033
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-033.txt
[8] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAl2dwGkACgkQ2aS/ajSt
TauFEw//cp6r+DslX+0o0fpOkvebbW4MIMSiAXBBOr/ooqxIAOF3I9Bf7XBiOVSY
zvskCeQEEsywrGuLi1UbkJIQWb5SC2a/ZpTMgdeUeXulBin4izaUgbFbjmOcLIug
L+u2bPxsijLjMuS3OIws4GVevT2A8Hf3X7n3+GCiC18RklbxBwzPG4Qw1dQaxZMq
VMdtTyjpBicDERDykfT+mAzC2HHwewObZlNNdXKQXQ34IM51nKODbF2V7VCBf71H
Vrx8g6XDS1VMi4UXEkffpvYUB1u2/y27GUKndYoBcm//A+vdlsjtXlyLd9AXPqpe
0ONTiFkyXmFSE7y5ZZVtrW8J7Oy7N3Yeh5UpHPnF39I05MuFzwy3fSRG7+mTEiJi
N3NRcH7zw2wtUoQzSbZnx/7j/Lp96J3p+kRSE8s4yPu4s2+prkODKgutlT2VuriI
FoIEtCTfzBzdWFySm6q4UunoA794YgjJRq0GxeDjk2/1nL2erLbY8EdLqPoZ0udZ
vJlzjV8fFSyeMzRdkHXaKbDpMYRStwtWLwzbLZBowMi1QMz5lgFhWFFV6s/CxNer
TgoD3ohB/lp1HK+8GlJUIclAQGpsGx6m3znOtjsPtKkzhh76vJndnguRRE/VPXMX
IB2+SPmLmUCQrmu1UdDIq32hFNHIU90SKl8G1dv/1Uhj8gUKX9I=
=izWu
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum