Google researchers warned on a new set of potential security vulnerabilities(allow escalation of privilege or information disclosure) in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.
According to google researcher Andy Nguyen, BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in a short distance to execute arbitrary code with kernel privileges on vulnerable devices.
Intel, which has significantly invested in the BlueZ project, has also issued an alert characterizing the flaws in its advisory.
- CVEID: CVE-2020-12351 – CVSS score 8.3
Description: Improper input validation in BlueZ may allow an unauthenticated user to potentially enable the escalation of privilege via adjacent access.
It affects Linux kernel 4.8 and higher and which is present in the Logical Link Control and Adaptation Protocol (L2CAP) of the Bluetooth standard, which provides multiplexing of data between different higher layer protocols.
Malicious Bluetooth chips can possibly fall for an attack, which goes to a serious extent where “A remote attacker in short distance knowing the victim’s [Bluetooth device] address can send a malicious L2CAP packet and cause a denial of service or possibly arbitrary code execution with kernel privileges.” Google noted in its advisory.
- CVEID: CVE-2020-12352 – CVSS score 5.3
Description: Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
A consequence of a 2012 change made to the core Alternate MAC-PHY Manager Protocol (A2MP) — a high-speed transport link used in Bluetooth HS (High Speed) to enable the transfer of larger amounts of data — the issue permits a remote attacker in short distance to retrieve kernel stack information, using it to predict the memory layout and defeat address space layout randomization (KASLR)
- CVEID: CVE-2020-24490 – CVSS score 5.3
Description: Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access.
The third flaw was found in HCI (Host Controller Interface), which is a standardized Bluetooth interface for sending commands, receiving events, and for sending and receiving data. It is a heap-based buffer overflow impacting Linux kernel 4.19 and higher, causing a nearby remote attacker to “cause denial of service or possibly arbitrary code execution with kernel privileges on victim machines if they are equipped with Bluetooth 5 chips and are in scanning mode.”
All Linux kernel versions that support BlueZ.
BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities. Also, Intel recommends installing the following kernel fixes to address these issues: