Google protection scientists are warning of a new set of zero-simply click vulnerabilities in the Linux Bluetooth software program stack that can enable a close by unauthenticated, distant attacker to execute arbitrary code with kernel privileges on vulnerable gadgets.
According to safety engineer Andy Nguyen, the 3 flaws — collectively named BleedingTooth — reside in the open-source BlueZ protocol stack that presents support for several of the main Bluetooth layers and protocols for Linux-centered techniques these as laptops and IoT devices.
The 1st and the most critical is a heap-based kind confusion (CVE-2020-12351, CVSS rating 8.3) impacting Linux kernel 4.8 and better and is current in the Sensible Url Regulate and Adaptation Protocol (L2CAP) of the Bluetooth normal, which gives multiplexing of info involving diverse increased layer protocols.
“A remote attacker in brief distance knowing the victim’s [Bluetooth device] deal with can mail a malicious l2cap packet and bring about denial of provider or perhaps arbitrary code execution with kernel privileges,” Google observed in its advisory. “Destructive Bluetooth chips can set off the vulnerability as very well.”
The vulnerability, which is nevertheless to be dealt with, seems to have been released in a transform to the “l2cap_core.c” module manufactured in 2016.
Intel, which has substantially invested in the BlueZ venture, has also issued an alert characterizing CVE-2020-12351 as a privilege escalation flaw.
The second unpatched vulnerability (CVE-2020-12352) worries a stack-based mostly facts disclosure flaw impacting Linux kernel 3.6 and greater.
A consequence of a 2012 modify created to the main Alternate MAC-PHY Supervisor Protocol (A2MP) — a substantial-velocity transportation backlink applied in Bluetooth HS (Higher Speed) to permit the transfer of bigger amounts of information — the challenge permits a remote attacker in short length to retrieve kernel stack information and facts, making use of it to predict the memory format and defeat tackle area format randomization (KASLR)
Finally, a 3rd flaw (CVE-2020-24490) identified in HCI (Host Controller Interface), a standardized Bluetooth interface applied for sending commands, acquiring events, and for transmitting facts, is a heap-based mostly buffer overflow impacting Linux kernel 4.19 and increased, resulting in a nearby remote attacker to “lead to denial of services or perhaps arbitrary code execution with kernel privileges on sufferer devices if they are outfitted with Bluetooth 5 chips and are in scanning mode.”
The vulnerability, which has been accessible due to the fact 2018, has been patched in versions 4.19.137 and 5.7.13.
For its section, Intel has encouraged putting in the kernel fixes to mitigate the risk related with these issues.
“Likely stability vulnerabilities in BlueZ could enable escalation of privilege or info disclosure,” Intel said of the flaws. “BlueZ is releasing Linux kernel fixes to tackle these potential vulnerabilities.”