The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Bluetooth Firmware: information disclosure via Weak Elliptic Curve Parameters

Synthesis of the vulnerability 

An attacker can bypass access restrictions to data via Weak Elliptic Curve Parameters of Bluetooth Firmware, in order to obtain sensitive information.
Vulnerable products: iOS by Apple, iPhone, Mac OS X, Debian, Android OS, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this weakness: 2/4.
Creation date: 19/02/2019.
Références of this bulletin: CERTFR-2019-AVI-188, CERTFR-2019-AVI-391, CERTFR-2019-AVI-419, CVE-2018-5383, DLA-1747-1, HT208848, HT208849, HT208937, HT209139, openSUSE-SU-2019:0275-1, RHSA-2019:2169-01, SUSE-SU-2019:0422-1, SUSE-SU-2019:0427-1, SUSE-SU-2019:0427-2, SUSE-SU-2019:0466-1, USN-4094-1, USN-4095-1, USN-4095-2, USN-4118-1, USN-4351-1, VIGILANCE-VUL-28536.

Description of the vulnerability 

An attacker can bypass access restrictions to data via Weak Elliptic Curve Parameters of Bluetooth Firmware, in order to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat bulletin impacts software or systems such as iOS by Apple, iPhone, Mac OS X, Debian, Android OS, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer threat bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of radio connection.

An attacker with a expert ability can exploit this computer threat.

Solutions for this threat 

Apple iOS: version 11.4.
The version 11.4 is fixed:
  https://support.apple.com/

Apple macOS: version 10.13.5.
The version 10.13.5 is fixed:
  https://support.apple.com/

Apple macOS: version 10.13.6.
The version 10.13.6 is fixed:
  https://support.apple.com/

Apple macOS: version 10.14.
The version 10.14 is fixed:
  https://support.apple.com/

Debian 8: new firmware-nonfree packages.
New packages are available:
  Debian 8: firmware-nonfree 20161130-5~deb8u1

Google Android/Pixel: patch for August 2018.
A patch is indicated in information sources.

openSUSE Leap 42.3: new kernel-firmware packages.
New packages are available:
  openSUSE Leap 42.3: kernel-firmware 20170530-26.1

RHEL 7: new linux-firmware packages.
New packages are available:
  RHEL 7: linux-firmware 20190429-72.gitddde598.el7

SUSE LE 12 RTM: new kernel-firmware packages.
New packages are available:
  SUSE LE 12 RTM: kernel-firmware 20140807git-5.11.1

SUSE LE 12 SP1: new kernel-firmware packages.
New packages are available:
  SUSE LE 12 SP1: kernel-firmware 20160516git-10.16.1

SUSE LE 12 SP2/3: new kernel-firmware packages.
New packages are available:
  SUSE LE 12 SP2: kernel-firmware 20170530-21.28.1
  SUSE LE 12 SP3: kernel-firmware 20170530-21.28.1

Ubuntu 16/18: new linux-image-aws packages.
New packages are available:
  Ubuntu 16.04 LTS: linux-image-aws 4.15.0.1047.47
  Ubuntu 18.04 LTS: linux-image-aws 4.15.0.1047.46

Ubuntu: new linux-firmware packages.
New packages are available:
  Ubuntu 18.04 LTS: linux-firmware 1.173.18
  Ubuntu 16.04 LTS: linux-firmware 1.157.23

Ubuntu: new linux-image-4.15.0 packages.
New packages are available:
  Ubuntu 16.04 LTS: linux-image-generic-hwe-16.04 4.15.0.58.79
  Ubuntu 18.04 LTS: linux-image-generic 4.15.0.58.60

Ubuntu: new linux-image-4.4.0 packages.
New packages are available:
  Ubuntu 14.04 ESM: linux-image-generic-lts-xenial 4.4.0.159.140
  Ubuntu 16.04 LTS: linux-image-generic 4.4.0.159.167
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides network vulnerability patches. The Vigil@nce vulnerability database contains several thousand vulnerabilities.