Zero-Click Vulnerability in Linux Bluetooth Stack

Home/Security Update, Software Issues/Zero-Click Vulnerability in Linux Bluetooth Stack

Zero-Click Vulnerability in Linux Bluetooth Stack

Google researchers warned on a new set of potential security vulnerabilities(allow escalation of privilege or information disclosure) in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.

BleedingTooth Vulnerability

According to google researcher Andy Nguyen, BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in a short distance to execute arbitrary code with kernel privileges on vulnerable devices.

Vulnerability Details:

Intel, which has significantly invested in the BlueZ project, has also issued an alert characterizing the flaws in its advisory.

  • CVEID: CVE-2020-12351CVSS score 8.3

Description: Improper input validation in BlueZ may allow an unauthenticated user to potentially enable the escalation of privilege via adjacent access.

It affects Linux kernel 4.8 and higher and which is present in the Logical Link Control and Adaptation Protocol (L2CAP) of the Bluetooth standard, which provides multiplexing of data between different higher layer protocols.

Malicious Bluetooth chips can possibly fall for an attack, which goes to a serious extent where “A remote attacker in short distance knowing the victim’s [Bluetooth device] address can send a malicious L2CAP packet and cause a denial of service or possibly arbitrary code execution with kernel privileges.” Google noted in its advisory.

  • CVEID: CVE-2020-12352CVSS score 5.3

Description: Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.

A consequence of a 2012 change made to the core Alternate MAC-PHY Manager Protocol (A2MP) — a high-speed transport link used in Bluetooth HS (High Speed) to enable the transfer of larger amounts of data — the issue permits a remote attacker in short distance to retrieve kernel stack information, using it to predict the memory layout and defeat address space layout randomization (KASLR)

  • CVEID: CVE-2020-24490 CVSS score 5.3

Description: Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access.

The third flaw was found in HCI (Host Controller Interface), which is a standardized Bluetooth interface for sending commands, receiving events, and for sending and receiving data. It is a heap-based buffer overflow impacting Linux kernel 4.19 and higher, causing a nearby remote attacker to “cause denial of service or possibly arbitrary code execution with kernel privileges on victim machines if they are equipped with Bluetooth 5 chips and are in scanning mode.”

Affected Products:

All Linux kernel versions that support BlueZ.

Recommendations:

BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities. Also, Intel recommends installing the following kernel fixes to address these issues:

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e

By | 2020-10-16T15:21:52+05:30 October 16th, 2020|Security Update, Software Issues|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!