Bluetooth vulnerabilities {that a} Google safety researcher has recognized within the Linux kernel could possibly be exploited to run arbitrary code or entry delicate info.

Known as BleedingTooth, the problems had been recognized by Andy Nguyen, a safety engineer from Google, and are tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490. They had been launched in 2016, 2012, and 2018, respectively.

Essentially the most extreme of those flaws is CVE-2020-12351, a heap-based kind confusion that impacts Linux kernel 4.Eight and better. The difficulty includes a excessive severity score (CVSS rating of 8.3).

The bug will be exploited by a distant attacker inside Bluetooth vary of the sufferer and which is aware of the bd tackle of the goal gadget. To set off the flaw, the attacker must ship a malicious l2cap packet, which might result in denial of service and even execution of arbitrary code, with kernel privileges.

An attacker seeking to set off the vulnerability may also use a malicious Bluetooth chip for that. Proof-of-concept code for an exploit will be discovered on GitHub.

The bug, Nguyen explains, doesn’t require person interplay to be exploited (it’s a zero-click vulnerability). A video demonstrating the difficulty is embedded under.

The second difficulty, CVE-2020-12352, is a stack-based info leak that impacts Linux kernel 3.6 and better. The bug is taken into account medium severity (CVSS rating of 5.3).

“A distant attacker briefly distance realizing the sufferer’s bd tackle can retrieve kernel stack info containing varied pointers that can be utilized to foretell the reminiscence structure and to defeat KASLR. The leak might include different invaluable info such because the encryption keys,” Google’s researchers clarify.

Tracked as CVE-2020-24490 and regarded medium threat (CVSS rating of 5.3), the third vulnerability is a heap-based buffer overflow that impacts Linux kernel 4.19 and better.

A distant attacker inside brief vary of a weak gadget can set off the flaw by way of broadcasting prolonged promoting knowledge. This might result in denial of service and even arbitrary code execution with kernel privileges.

Solely gadgets that characteristic Bluetooth 5 chips and that are in scanning mode are weak to this flaw, however an attacker may additionally use malicious chips to set off the vulnerability, Google’s researchers word.

PoC code for each medium-severity flaws has been printed on GitHub.

BlueZ, the official Linux Bluetooth protocol stack, has introduced Linux kernel fixes that patch all three of those safety points, Intel reveals. The corporate notes that the vulnerabilities have an effect on “all Linux kernel variations earlier than 5.9 that help BlueZ.”

The tech big recommends updating Linux kernel to model 5.9 or later. Offered that an replace will not be attainable, a number of kernel fixes can be found to handle the problems.

Associated: BLURtooth Vulnerability Can Permit Bluetooth MITM Assaults

Associated: Important Bluetooth Vulnerability Exposes Android Gadgets to Assaults

Associated: Bluetooth Vulnerability Permits Attackers to Impersonate Beforehand Paired Gadgets

BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks
BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks
BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Ionut Arghire is a global correspondent for SecurityWeek.

Earlier Columns by Ionut Arghire:
BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click AttacksTags: