Engineers at Google and Intel are warning of serious Bluetooth vulnerabilities that threaten all but the most recent Linux kernel. The bugs are collectively known as BleedingTooth and are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (Linux 2.4.6 and higher).
Google experts say that this problem allows attackers to freely execute arbitrary code while in Bluetooth range, while Intel associates this flaw with privilege escalation and information disclosure.
This collection of BleedingTooth vulnerabilities was discovered by Google engineer Andy Nguyen. The vulnerabilities were identified as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490, and appeared in the code back in 2012, 2016 and 2018.
The most serious bug in this suite is CVE-2020-12351, which is a type confusion vulnerability that affects Linux 4.8 and above kernels.
The bug has a high severity rating (8.3 points on the CVSS vulnerability rating scale) and can be exploited by an attacker if he is within Bluetooth range and knows the bd address of the target device. To exploit the bug, an attacker must send a malicious l2cap packet to the victim, which can lead to denial of service (DoS) or arbitrary code execution with kernel privileges. Nguyen stresses that exploiting the problem does not require any user interaction.
Proof-of-concept exploit for CVE-2020-12351 has already been published on Github, and a demonstration of the attack in action can be seen in the video below.
The second issue, CVE-2020-12352, is an information leak and affects the Linux 3.6 and higher kernels. This error was assigned a medium severity category (5.3 on the CVSS).
“Knowing the bd address of the victim, a remote attacker at a short distance can obtain information about the kernel stack containing various pointers that can be used to predict the memory structure and bypass KASLR. The leak may contain other valuable data, including encryption keys ", – explain Google researchers.
The third vulnerability, CVE-2020-24490 (CVSS score of 5.3), is a heap buffer overflow that affects Linux kernel version 4.19 and above. In this case, a remote attacker within a short distance of the vulnerable device can also achieve denial of service and even execute arbitrary code with kernel privileges.
Google researchers celebrate that only devices equipped with Bluetooth 5 chips and being in scanning mode are susceptible to problems, but attackers can use malicious chips for attacks.
In turn, the specialists of Intel, which is one of the main participants in the BlueZ project, writethat BlueZ developers have already announced patches for all three discovered issues. Experts now recommend that you upgrade your Linux kernel to version 5.9 as soon as possible, which was published last weekend.