Security researchers at Google are warning of a new zero-click vulnerability found within the Linux Bluetooth software stack that would allow nearby, unauthenticated, remote attackers the ability to execute arbitrary code – with kernel privileges.
What this means is that the attacker would have full control to do just about anything they wanted if within range.
According to Security Engineer Andy Nguyen three flaws which are used together are called BleedingTooth. This exploit resides in the open-source BlueZ protocol stack which supports many of the core Bluetooth layers used in Linux-based devices such as IoT devices, mobile devices and laptops.
“A remote attacker in short distance knowing the victim’s [Bluetooth device] address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges… Malicious Bluetooth chips can trigger the vulnerability as well.”Google Securityhttps://security.googleblog.com/
The most severe CVE ( CVE-2020-12351, CVSS score 8.3 ) is a heap-based type confusion affecting Linux kernel 4.8 and higher. This is generally present in Logical Link Control and Adaptation Protocol ( L2CAP ) of the Bluetooth standard. This provides multiplexing of data between other, higher layer protocols.
The second unpatched vulnerability ( CVE-2020-12352 ) concerns a stack-based information disclosure flaw affecting Linux kernel 3.6 and higher.
A change from 2012 on the core Alternate MAC-PHY Manager Protocol ( A2MP ) which is a high-speed transport link used within the Bluetooth HS ( High Speed ) to enable the transfer of larger amounts of data. The exploit allows an attacker – within close proximity to the device – the ability to retrieve kernel stack information and then using it to predict the memory layout and overcome address space layout randomization ( KASLR ).
The third and last flaw, (CVE-2020-24490) discovered in HCI (Host Controller Interface), a standardized Bluetooth interface used for sending commands, receiving events, and for transmitting data, is a heap-based buffer overflow impacting Linux kernel 4.19 and higher, causing a nearby remote attacker to “cause denial of service or possibly arbitrary code execution with kernel privileges on victim machines if they are equipped with Bluetooth 5 chips and are in scanning mode.”
“Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure… BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.”Intel