BLE stack unresponsive after receiving ConnectionRequest with connection timeout field set to 0

Hi,

We are using nrf Connect SDK 2.4.0 and have been looking through the NIST vulnerabilities databases.  One of the vulnerabilities reported with the nrf5340 is a denial of service which occurs when sending  a ConnectionRequest with the connection timeout set to zero.  Apparently, the BLE stack locks up and the application is not notified.  From the database, it was not clear what version of the SDK was used in the testing.  Does this issue occur in v2.4.0 of the SDK or has it been fixed in a later SDK?

Thank you.

Parents Reply
  • Hi,

    I see. The E7 issue in that list is also fixed in SDK 2.2.0. From the changelog:

    Fixed an issue where the controller accepts an LL_PAUSE_ENC_REQ packet received on an unencrypted link (DRGN-17777).

    The issue refered to as I1 in that list we deem invalid and it will not be "fixed". Backround: The spec. allows different behavior and conformant device must allow all of them, so there should be no IOP issues with conformant devices. Furthermore, if ECDH math is implemented in the controller, the HCI_LE_Generate_DHKey command is the first place where controller has a chance to check for validness of peer’s Public Key. See BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 6, Part B page 2834 4.6.26 Remote Public Key Validation. A Controller that supports Remote Public Key Validation shall validate the remote public key (see [Vol 3] Part H, Section 2.3.5.6.1) sent by the Host in the HCI_LE_Generate_DHKey command (see [Vol 4] Part E, Section 7.8.37).

Children
Related