Notice no.: IN-119, rev. 1.0.1

RE: Notice no.: IN-119, rev. 1.0.1

Joakim Jakobsen — Fri, 18 Oct 2019 09:49:59 GMT

The non-compliant BLE protocol stack is the affected versions of the Softdevice.

All three criterias in my previous answer is required for your device to be affected.

RE: Notice no.: IN-119, rev. 1.0.1

m-o — Tue, 15 Oct 2019 00:35:21 GMT

I'm sorry.

I didn't understand the non-compliant BLE protocol stack.
Is it not applicable when using the SDK?

Sorry I don't well know about BLE.

RE: Notice no.: IN-119, rev. 1.0.1

Joakim Jakobsen — Mon, 14 Oct 2019 13:11:20 GMT

Not necessarily.

Please read my previous answer carefully!

Best regards,
Joakim

RE: Notice no.: IN-119, rev. 1.0.1

m-o — Fri, 11 Oct 2019 01:31:23 GMT

Thank you for your answer.

Applications is affected that perform service discovery in Central.

Is my perception correct?

RE: Notice no.: IN-119, rev. 1.0.1

Joakim Jakobsen — Thu, 10 Oct 2019 14:06:39 GMT

Hi.

As stated in the Notice of Security Vulnerability IN-119:
“The vulnerability requires a non-compliant BLE protocol stack to send invalid, or mal-formed packets in response to request types generated by a GATT Client implementation. This vulnerability is not exposed by qualified implementations of BLE protocol stacks that implement valid behavior.

Affected implementations must have the following criteria:

Use an affected BLE protocol stack
Use a GATT Client
Execute a service discovery procedure or a read of a characteristic by UUID which results in one of the following request packet types to be sent to a device implementing a GATT server:
o READ_BY_TYPE_REQUEST
o READ_BY_GROUP_TYPE_REQUEST

Implementations using Central Role are likely to execute a service discovery procedure. If an implementation uses Peripheral Role only, GATT Client is optionally implemented.”

All three criterias mentioned above is required to be affected, so the application must use an affected BLE softdevice, have a GATT client, and execute a service discovery at the specific time.
If one of the criterias above is not met, then you won’t be affected even if you are using an affected version of the softdevice.

Best regards,
Joakim

RE: Notice no.: IN-119, rev. 1.0.1

m-o — Wed, 09 Oct 2019 01:52:58 GMT

Is Application definitely affected when using the corresponding soft device?

The following is not in the source code and I didn't know if my application was corresponding.
・READ_BY_TYPE_REQUEST
・READ_BY_GROUP_TYPE_REQUEST

RE: Notice no.: IN-119, rev. 1.0.1

Joakim Jakobsen — Wed, 28 Aug 2019 08:31:18 GMT

Yes, as I said the affected versions is listed in the Notice of Security Vulnerability IN-119.

RE: Notice no.: IN-119, rev. 1.0.1

swibyn — Mon, 26 Aug 2019 09:12:40 GMT

Does S130 v2.0.1 acceptable?

RE: Notice no.: IN-119, rev. 1.0.1

swibyn — Mon, 26 Aug 2019 08:54:19 GMT

我就想知道到底S130是所有版本都受影响，还是S130就v2.0.0这个版本受影响

RE: Notice no.: IN-119, rev. 1.0.1

Joakim Jakobsen — Fri, 16 Aug 2019 12:50:51 GMT

Hi.

[quote user=""]Could someone clarify which versions are acceptable, instead of going by date?[/quote]

If you take look at the Informational Notice of Security Vulnerability (IN-119). The affected versions is listed on the top right.
"Product version information: All versions of S110, S120 and S130 S132 v2.0.0"

[quote user=""]It looks like SDK 12.2 might be covered, so everything after that should be unaffected?[/quote]

It's not the SDK itself that is affected by this, but certain versions of the Softdevice (ref. IN-119).
Using SDK v.12.2.0 with Softdevice S132 v.3.0.0 (which is listed as the supported S132 Softdevice) will not be affected by this.

Best regards,
Joakim