CVE-2021-37577

Name of the Vulnerable Software and Affected Versions Bluetooth Core Specifications versions 2.1 through 5.3

Description The issue concerns Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol. It may allow an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflecting a crafted public key with the same X coordinate as the offered public key and by reflecting the authentication evidence of the initiating device. This could permit the attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session.

Recommendations For Bluetooth Core Specifications versions 2.1 through 5.3, consider implementing additional authentication measures to prevent man-in-the-middle attacks, such as verifying the authenticity of public keys and authentication evidence. As a temporary workaround, restrict the use of the Passkey entry protocol until a more secure alternative is available. At the moment, there is no information about a newer version that contains a fix for this issue.