Platform
c
Component
zephyr
Fixed in
3.5.1
CVE-2024-1638 is a high-severity vulnerability affecting Zephyr RTOS versions up to 3.5. It stems from an incorrect implementation of Bluetooth Low Energy (BLE) permission handling, specifically concerning LE Secure Connections. This flaw allows unauthorized access to Bluetooth characteristics, potentially leading to data breaches and control compromise. The vulnerability is fixed in version 3.5.1.
The core of the vulnerability lies in the misinterpretation of BLE characteristic permissions. The Zephyr BLE stack incorrectly handles the BTGATTPERMREADLESC and BTGATTPERMWRITELESC flags. While these flags are intended to enforce LE Secure Connections for read and write operations, the stack fails to do so when combined with other permissions like BTGATTPERMREADENCRYPT/BTGATTPERMREADAUTHEN or BTGATTPERMWRITEENCRYPT/BTGATTPERMWRITEAUTHEN. An attacker can exploit this by crafting malicious BLE connections that bypass the intended security measures. This could allow them to read or write sensitive data transmitted over the BLE link without proper encryption or authentication, potentially leading to device compromise and data theft. The blast radius extends to any device utilizing Zephyr's BLE stack in vulnerable configurations.
CVE-2024-1638 was publicly disclosed on February 19, 2024. The vulnerability's impact is amplified by the widespread use of BLE in IoT devices. While no public exploits have been released, the ease of exploitation makes it a potential target for attackers. The CVSS score of 8.2 (HIGH) reflects the potential for significant impact. It is not currently listed on the CISA KEV catalog, but its severity warrants monitoring.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1638 is to upgrade to Zephyr RTOS version 3.5.1 or later, which includes the corrected BLE permission handling. If upgrading is not immediately feasible, consider implementing compensating controls. Carefully review BLE characteristic permissions in your application, ensuring that BTGATTPERMREADENCRYPT/BTGATTPERMREADAUTHEN and BTGATTPERMWRITEENCRYPT/BTGATTPERMWRITEAUTHEN are always set alongside BTGATTPERMREADLESC and BTGATTPERMWRITELESC. Consider implementing a Web Application Firewall (WAF) or proxy to filter BLE traffic and block connections that attempt to bypass security checks. After upgrading, confirm the fix by attempting a BLE connection without the required encryption/authentication permissions and verifying that access is denied.
Update Zephyr to a version later than 3.5 that includes the fix for this vulnerability. Ensure you apply recommended security configurations for Bluetooth characteristics, including the use of BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN along with BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1638 is a high-severity vulnerability in Zephyr RTOS affecting BLE characteristic permission handling. It allows unauthorized access to BLE data if versions are ≤3.5.
If you are using Zephyr RTOS version 3.5 or earlier, you are potentially affected. Upgrade to 3.5.1 to mitigate the risk.
Upgrade to Zephyr RTOS version 3.5.1 or later. Review BLE characteristic permissions and ensure proper encryption/authentication is enforced.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a potential target for attackers.
Refer to the Zephyr Project security advisory for detailed information and updates: https://security.zephyrproject.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.