This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Notice no.: IN-119, rev. 1.0.1

Received the IN-119 notice, and it says:



All users are recommended to use the latest release of BLE protocol stack software for product development. All BLE protocol stacks from Nordic Semiconductor released after July 2016 are not affected by this vulnerability.

Could someone clarify which versions are acceptable, instead of going by date? It looks like SDK 12.2 might be covered, so everything after that should be unaffected?

Thanks!

Parents
  • Hi. 

    Could someone clarify which versions are acceptable, instead of going by date?

     If you take look at the Informational Notice of Security Vulnerability (IN-119). The affected versions is listed on the top right. 
    "Product version information: All versions of S110, S120 and S130 S132 v2.0.0" 

    It looks like SDK 12.2 might be covered, so everything after that should be unaffected?

     It's not the SDK itself that is affected by this, but certain versions of the Softdevice (ref. IN-119). 
    Using SDK v.12.2.0 with Softdevice S132 v.3.0.0 (which is listed as the supported S132 Softdevice) will not be affected by this. 

    Best regards, 
    Joakim

  • Is Application definitely affected when using the corresponding soft device?

    The following is not in the source code and I didn't know if my application was corresponding.
    ・READ_BY_TYPE_REQUEST
    ・READ_BY_GROUP_TYPE_REQUEST

  • Hi.

    As stated in the Notice of Security Vulnerability IN-119:
    “The vulnerability requires a non-compliant BLE protocol stack to send invalid, or mal-formed packets in response to request types generated by a GATT Client implementation. This vulnerability is not exposed by qualified implementations of BLE protocol stacks that implement valid behavior.

    Affected implementations must have the following criteria:

    • Use an affected BLE protocol stack
    • Use a GATT Client
    • Execute a service discovery procedure or a read of a characteristic by UUID which results in one of the following request packet types to be sent to a device implementing a GATT server:
      o READ_BY_TYPE_REQUEST
      o READ_BY_GROUP_TYPE_REQUEST

    Implementations using Central Role are likely to execute a service discovery procedure. If an implementation uses Peripheral Role only, GATT Client is optionally implemented.”

    All three criterias mentioned above is required to be affected, so the application must use an affected BLE softdevice, have a GATT client, and execute a service discovery at the specific time.
    If one of the criterias above is not met, then you won’t be affected even if you are using an affected version of the softdevice.

    Best regards, 
    Joakim

  • Thank you for your answer.

    Applications is affected that perform service discovery in Central.

    Is my perception correct?

  • Not necessarily. 

    Please read my previous answer carefully! 

    Best regards, 
    Joakim 

Reply Children
Related