Jiska

Name of the Vulnerable Software and Affected Versions: Cypress CYW20735 evaluation board (affected versions not specified) WICED Studio versions 6.2 through 6.4 Description: The issue is caused by a buffer overflow that occurs when data exceeds 384 bytes. This happens because the maximum BLOC buffer size for sending and receiving data is set to 384 bytes, while other configurations remain at the usual size of 1092 bytes. An attacker can trigger the overflow by sending packets over the air or as an unprivileged local user. The overflow can be triggered over the air by sending a minimal proof of concept, such as "l2ping -s 600", to the target address prior to any pairing. Locally, the buffer overflow is immediately triggered by opening an ACL or SCO connection to a headset. This is due to the BT ACL HOST TO DEVICE DEFAULT SIZE and BT ACL DEVICE TO HOST DEFAULT SIZE being set to 384 in WICED Studio 6.2 and 6.4. Recommendations: For WICED Studio versions 6.2 and 6.4, consider increasing the BT ACL HOST TO DEVICE DEFAULT SIZE and BT ACL DEVICE TO HOST DEFAULT SIZE to a value greater than 384 to prevent the buffer overflow. As a temporary workaround, restrict access to ACL and SCO connections to minimize the risk of exploitation. Avoid using the `l2ping` command with a size greater than 384 bytes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Broadcom chips (affected versions not specified) Samsung Galaxy S8, S8+, and Note8 devices with the BCM4361 chipset **Description** The issue arises from the use of a low-entropy Pseudo Random Number Generator (PRNG) in situations where a Hardware Random Number Generator (HRNG) should be used, leading to potential spoofing. This affects devices such as Samsung Galaxy S8, S8+, and Note8 with the BCM4361 chipset. **Recommendations** For Broadcom chips, consider implementing a Hardware Random Number Generator (HRNG) to replace the low-entropy PRNG. For Samsung Galaxy S8, S8+, and Note8 devices with the BCM4361 chipset, update the device firmware to a version that utilizes a HRNG for Bluetooth random-number generation, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.