Google and Intel are warning of a high-severity flaw in BlueZ, the Linux Bluetooth protocol stack that provides support for core Bluetooth layers and protocols to Linux-based internet of things (IoT) devices.
According to Google, the vulnerability affects users of Linux kernel versions before 5.9 that support BlueZ. BlueZ, which is an open-source project distributed under GNU General Public License (GPL), features the BlueZ kernel that has been part of the official Linux kernel since version 2.4.6.
The flaw, which Google calls “BleedingTooth,” can be exploited in a “zero-click” attack via specially crafted input, by a local, unauthenticated attacker. This could potentially allow for escalated privileges on affected devices.
“A remote attacker in short distance knowing the victim’s bd [Bluetooth] address can send a malicious l2cap [Logical Link Control and Adaptation Layer Protocol] packet and cause denial of service or possibly arbitrary code execution with kernel privileges,” according to a Google post on Github. “Malicious Bluetooth chips can trigger the vulnerability as well.”
The flaw (CVE-2020-12351) ranks 8.3 out of 10 on the CVSS scale, making it high-severity. It specifically stems from a heap-based type confusion in net/bluetooth/l2cap_core.c. A type-confusion vulnerability is a specific bug that can lead to out-of-bounds memory access and can lead to code execution or component crashes that an attacker can exploit. In this case, the issue is that there is insufficient validation of user-supplied input within the BlueZ implementation in Linux kernel.
Intel, meanwhile, which has placed “significant investment” in BlueZ, addressed the security issue in a Tuesday advisory, recommending that users update the Linux kernel to version 5.9 or later.
“Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure,” according to the security advisory. “BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.”
Google has also published proof-of-concept exploit code for the flaw on GitHub. See a video demo of BleedingTooth below:
Intel also issued a fix for two medium-severity flaws that affect BlueZ, both of which stem from improper access control. That includes CVE-2020-12352, which could enable an unauthenticated user to potentially enable information disclosure via adjacent access.
“A remote attacker in short distance knowing the victim’s bd address can retrieve kernel-stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR,” according to a description on GitHub. “The leak may contain other valuable information such as the encryption keys.”
Another flaw (CVE-2020-24490) could allow an unauthenticated user to potentially enable denial of service via adjacent access. The flaw can be exploited by a remote attacker in short distance, who can broadcast extended advertising data and cause a denial-of-service state, or possibly arbitrary code execution with kernel privileges on victim machines (if they are equipped with Bluetooth 5 chips and are in scanning mode), according to Google.
Andy Nguyen, security engineer with Google, was credited with discovering the flaw. Further details will soon be available on Google’s security blog.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.