BLE stack unresponsive after receiving ConnectionRequest with connection timeout field set to 0

kpreiss 1 day ago

Hi,

We are using nrf Connect SDK 2.4.0 and have been looking through the NIST vulnerabilities databases. One of the vulnerabilities reported with the nrf5340 is a denial of service which occurs when sending a ConnectionRequest with the connection timeout set to zero. Apparently, the BLE stack locks up and the application is not notified. From the database, it was not clear what version of the SDK was used in the testing. Does this issue occur in v2.4.0 of the SDK or has it been fixed in a later SDK?

Thank you.

Parents

0 Einar Thorsrud 22 hours ago

Hi,

Are you referring to CVE-2022-40480? nRF Connect SDK 2.2.0 included a fix that exploitation of this vulnerability. This is described in the SoftDevice Controller changelog for 2.2.0:

Fixed an issue where the controller accepts CONNECT_IND, AUX_CONNECT_REQ and CONNECTION_UPDATE_REQ packets with the connSupervisionTimeout value set to 0 (DRGN-17776).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kpreiss 21 hours ago in reply to Einar Thorsrud

Hi Einar,

Yes, this is the CVE-2022-404 which I'm referring to. Do you know if the other issues (E7, I1) were also resolved?

Thank you!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Einar Thorsrud 4 hours ago in reply to kpreiss

Hi,

I am not sure what this refers to. Can you shar ethe full CVE name or similar?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Einar Thorsrud 4 hours ago in reply to kpreiss

Hi,

I am not sure what this refers to. Can you shar ethe full CVE name or similar?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data