CVE-2020-26559

Name of the Vulnerable Software and Affected Versions: Bluetooth Mesh profile versions 1.0 through 1.0.1

Description: The issue allows a nearby device participating in the provisioning protocol to identify the AuthValue used, given the Provisioner's public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue.

Recommendations: For Bluetooth Mesh profile versions 1.0 through 1.0.1, consider restricting access to the provisioning protocol to minimize the risk of exploitation. As a temporary workaround, limit the ability of nearby devices to participate in the provisioning protocol until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.