Google security scientists are warning of a new set of zero-click on vulnerabilities in the Linux Bluetooth software stack that can make it possible for a nearby unauthenticated, remote attacker to execute arbitrary code with kernel privileges on vulnerable devices.
According to security engineer Andy Nguyen, the 3 flaws — collectively known as BleedingTooth — reside in the open up-supply BlueZ protocol stack that features aid for numerous of the core Bluetooth layers and protocols for Linux-based mostly methods this sort of as laptops and IoT equipment.
The 1st and the most severe is a heap-centered sort confusion (CVE-2020-12351, CVSS score 8.3) influencing Linux kernel 4.8 and better and is existing in the Rational Hyperlink Control and Adaptation Protocol (L2CAP) of the Bluetooth typical, which provides multiplexing of facts in between distinct greater layer protocols.
“A remote attacker in limited distance being aware of the victim’s [Bluetooth device] address can mail a malicious l2cap packet and lead to denial of support or probably arbitrary code execution with kernel privileges,” Google mentioned in its advisory. “Destructive Bluetooth chips can trigger the vulnerability as effectively.”
The vulnerability, which is but to be addressed, seems to have been introduced in a alter to the “l2cap_core.c” module created in 2016.
Intel, which has substantially invested in the BlueZ task, has also issued an inform characterizing CVE-2020-12351 as a privilege escalation flaw.
The 2nd unpatched vulnerability (CVE-2020-12352) considerations a stack-based information and facts disclosure flaw affecting Linux kernel 3.6 and higher.
A consequence of a 2012 modify made to the core Alternate MAC-PHY Supervisor Protocol (A2MP) — a higher-pace transportation backlink employed in Bluetooth HS (Significant Velocity) to help the transfer of larger sized quantities of details — the issue permits a distant attacker in brief distance to retrieve kernel stack facts, working with it to predict the memory layout and defeat deal with place structure randomization (KASLR)
Finally, a 3rd flaw (CVE-2020-24490) learned in HCI (Host Controller Interface), a standardized Bluetooth interface employed for sending commands, receiving gatherings, and for transmitting data, is a heap-dependent buffer overflow impacting Linux kernel 4.19 and higher, leading to a nearby remote attacker to “trigger denial of service or maybe arbitrary code execution with kernel privileges on sufferer devices if they are equipped with Bluetooth 5 chips and are in scanning method.”
The vulnerability, which has been obtainable due to the fact 2018, has been patched in versions 4.19.137 and 5.7.13.
For its portion, Intel has recommended setting up the kernel fixes to mitigate the risk associated with these issues.
“Opportunity security vulnerabilities in BlueZ may let escalation of privilege or facts disclosure,” Intel claimed of the flaws. “BlueZ is releasing Linux kernel fixes to address these prospective vulnerabilities.”
Observed this article interesting? Follow THN on Facebook, Twitter and LinkedIn to browse extra distinctive content material we post.
Some pieces of this report are sourced from: