Google security scientists are warning of a new set of zero-simply click vulnerabilities in the Linux Bluetooth application stack that can make it possible for a close by unauthenticated, remote attacker to execute arbitrary code with kernel privileges on susceptible units.
In accordance to security engineer Andy Nguyen, the three flaws — collectively referred to as BleedingTooth — reside in the open-source BlueZ protocol stack that features assist for several of the main Bluetooth levels and protocols for Linux-primarily based methods this sort of as laptops and IoT units.
The first and the most extreme is a heap-primarily based type confusion (CVE-2020-12351, CVSS rating 8.3) impacting Linux kernel 4.8 and increased and is current in the Sensible Backlink Command and Adaptation Protocol (L2CAP) of the Bluetooth conventional, which delivers multiplexing of facts between distinct better layer protocols.
“A distant attacker in shorter distance realizing the victim’s [Bluetooth device] handle can send a malicious l2cap packet and induce denial of service or maybe arbitrary code execution with kernel privileges,” Google observed in its advisory. “Malicious Bluetooth chips can result in the vulnerability as nicely.”
The vulnerability, which is yet to be dealt with, seems to have been released in a improve to the “l2cap_main.c” module made in 2016.
Intel, which has substantially invested in the BlueZ challenge, has also issued an notify characterizing CVE-2020-12351 as a privilege escalation flaw.
The next unpatched vulnerability (CVE-2020-12352) concerns a stack-primarily based details disclosure flaw affecting Linux kernel 3.6 and bigger.
A consequence of a 2012 change made to the main Alternate MAC-PHY Manager Protocol (A2MP) — a high-pace transport url made use of in Bluetooth HS (Higher Speed) to enable the transfer of larger sized amounts of data — the issue permits a remote attacker in small length to retrieve kernel stack information and facts, employing it to forecast the memory layout and defeat address house structure randomization (KASLR)
Lastly, a 3rd flaw (CVE-2020-24490) learned in HCI (Host Controller Interface), a standardized Bluetooth interface employed for sending commands, receiving gatherings, and for transmitting details, is a heap-dependent buffer overflow impacting Linux kernel 4.19 and larger, resulting in a nearby remote attacker to “result in denial of service or potentially arbitrary code execution with kernel privileges on sufferer equipment if they are geared up with Bluetooth 5 chips and are in scanning manner.”
The vulnerability, which has been accessible since 2018, has been patched in variations 4.19.137 and 5.7.13.
For its element, Intel has advised installing the kernel fixes to mitigate the risk involved with these issues.
“Possible security vulnerabilities in BlueZ may permit escalation of privilege or details disclosure,” Intel explained of the flaws. “BlueZ is releasing Linux kernel fixes to deal with these likely vulnerabilities.”
Located this report appealing? Stick to THN on Facebook, Twitter and LinkedIn to browse more special articles we submit.