2 Vulnerability

TI PSIRT ID

TI-PSIRT-2019-060032

CVSS Base Score

8.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products and Versions

• CC2540/CC2541 BLE_Stack v1.5.0 and earlier

Potentially Impacted Features

The potential vulnerability can impact the OAD image signing and encryption functionality.

Suggested Mitigations

The following SDK release addresses the potential vulnerability with a constant time memcmp function in aesSignature():

• BLE-STACK (support for CC2540/CC2541) SDK v1.5.1

Customers of affected products should apply this service-pack and consider further system-level security measures as appropriate. Customers are solely responsible for the security of their products and are encouraged to assess the possible risk of any potential security vulnerability.

Acknowledgment

We would like to thank researchers from COSIC, KU Leuven and imec for reporting this potential vulnerability to the TI Product Security Incident Response Team (PSIRT) and working toward a coordinated report.