Sign-up

ID

VAR-202007-0920


CVE

CVE-2020-15509


TITLE

Nordic Semiconductor Android BLE Library and DFU Library Vulnerability regarding lack of encryption of critical data in

Trust: 0.8

sources: JVNDB: JVNDB-2020-007769

DESCRIPTION

Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. The problem is in bond creation (e.g., internalCreateBond in BleManagerHandler)

Trust: 1.62

sources: NVD: CVE-2020-15509 // JVNDB: JVNDB-2020-007769

IOT TAXONOMY

category:['network device']sub_category:bluetooth device

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:nordicsemimodel:android ble libraryscope:lteversion:2.2.1

Trust: 1.0

vendor:nordicsemimodel:dfu libraryscope:lteversion:1.10.4

Trust: 1.0

vendor:nordic semiconductormodel:android ble libraryscope:eqversion:2.2.1

Trust: 0.8

vendor:nordic semiconductormodel:dfu libraryscope:eqversion:1.10.4

Trust: 0.8

sources: JVNDB: JVNDB-2020-007769 // NVD: CVE-2020-15509

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-15509
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-007769
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202007-312
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2020-15509
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-007769
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2020-15509
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-007769
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-007769 // CNNVD: CNNVD-202007-312 // NVD: CVE-2020-15509

PROBLEMTYPE DATA

problemtype:CWE-319

Trust: 1.0

problemtype:CWE-311

Trust: 0.8

sources: JVNDB: JVNDB-2020-007769 // NVD: CVE-2020-15509

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202007-312

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-312

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-007769

PATCH
title:NordicSemiconductor/Android-BLE-Libraryurl:https://github.com/NordicSemiconductor/Android-BLE-Library/commits/master
Trust: 0.8
title:NordicSemiconductor/Android-DFU-Libraryurl:https://github.com/NordicSemiconductor/Android-DFU-Library/commits/release
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-007769

EXTERNAL IDS
db:NVDid:CVE-2020-15509
Trust: 2.5
db:JVNDBid:JVNDB-2020-007769
Trust: 0.8
db:CNNVDid:CNNVD-202007-312
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            JVNDB: JVNDB-2020-007769 // 
            
            
            
            CNNVD: CNNVD-202007-312 // 
            
            
            
            NVD: CVE-2020-15509

REFERENCES
url:https://secretdiary.ninja/index.php/2020/07/03/norec-attack-stripping-ble-encryption-from-nordicsemis-android-library-cve-2020-15509/
Trust: 2.4
url:https://github.com/nordicsemiconductor/android-ble-library/commits/master
Trust: 1.6
url:https://github.com/nordicsemiconductor/android-dfu-library/commits/release
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-15509
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-15509
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            JVNDB: JVNDB-2020-007769 // 
            
            
            
            CNNVD: CNNVD-202007-312 // 
            
            
            
            NVD: CVE-2020-15509

SOURCES
db:OTHERid: - 
db:JVNDBid:JVNDB-2020-007769
db:CNNVDid:CNNVD-202007-312
db:NVDid:CVE-2020-15509

LAST UPDATE DATE
2025-01-30T22:03:09.832000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2020-007769date:2020-08-25T00:00:00
db:CNNVDid:CNNVD-202007-312date:2020-07-16T00:00:00
db:NVDid:CVE-2020-15509date:2024-11-21T05:05:39.973

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2020-007769date:2020-08-25T00:00:00
db:CNNVDid:CNNVD-202007-312date:2020-07-07T00:00:00
db:NVDid:CVE-2020-15509date:2020-07-07T14:15:11.380