Received the IN-119 notice, and it says:
All users are recommended to use the latest release of BLE protocol stack software for product development. All BLE protocol stacks from Nordic Semiconductor released after July 2016 are not affected by this vulnerability.
Could someone clarify which versions are acceptable, instead of going by date? It looks like SDK 12.2 might be covered, so everything after that should be unaffected?
Thanks!
Hi.
Could someone clarify which versions are acceptable, instead of going by date?
If you take look at the Informational Notice of Security Vulnerability (IN-119). The affected versions is listed on the top right.
"Product version information: All versions of S110, S120 and S130 S132 v2.0.0"
It looks like SDK 12.2 might be covered, so everything after that should be unaffected?
It's not the SDK itself that is affected by this, but certain versions of the Softdevice (ref. IN-119).
Using SDK v.12.2.0 with Softdevice S132 v.3.0.0 (which is listed as the supported S132 Softdevice) will not be affected by this.
Best regards,
Joakim
Is Application definitely affected when using the corresponding soft device?
The following is not in the source code and I didn't know if my application was corresponding.
・READ_BY_TYPE_REQUEST
・READ_BY_GROUP_TYPE_REQUEST
Hi.
As stated in the Notice of Security Vulnerability IN-119:
“The vulnerability requires a non-compliant BLE protocol stack to send invalid, or mal-formed packets in response to request types generated by a GATT Client implementation. This vulnerability is not exposed by qualified implementations of BLE protocol stacks that implement valid behavior.
Affected implementations must have the following criteria:
Implementations using Central Role are likely to execute a service discovery procedure. If an implementation uses Peripheral Role only, GATT Client is optionally implemented.”
All three criterias mentioned above is required to be affected, so the application must use an affected BLE softdevice, have a GATT client, and execute a service discovery at the specific time.
If one of the criterias above is not met, then you won’t be affected even if you are using an affected version of the softdevice.
Best regards,
Joakim
Hi.
As stated in the Notice of Security Vulnerability IN-119:
“The vulnerability requires a non-compliant BLE protocol stack to send invalid, or mal-formed packets in response to request types generated by a GATT Client implementation. This vulnerability is not exposed by qualified implementations of BLE protocol stacks that implement valid behavior.
Affected implementations must have the following criteria:
Implementations using Central Role are likely to execute a service discovery procedure. If an implementation uses Peripheral Role only, GATT Client is optionally implemented.”
All three criterias mentioned above is required to be affected, so the application must use an affected BLE softdevice, have a GATT client, and execute a service discovery at the specific time.
If one of the criterias above is not met, then you won’t be affected even if you are using an affected version of the softdevice.
Best regards,
Joakim
Thank you for your answer.
Applications is affected that perform service discovery in Central.
Is my perception correct?
Not necessarily.
Please read my previous answer carefully!
Best regards,
Joakim
I'm sorry.
I didn't understand the non-compliant BLE protocol stack.
Is it not applicable when using the SDK?
Sorry I don't well know about BLE.
The non-compliant BLE protocol stack is the affected versions of the Softdevice.
All three criterias in my previous answer is required for your device to be affected.
