Google and Intel engineers warn of dangerous Bluetooth bugs that threaten all but the latest Linux kernel versions.
The bugs are collectively known as BleedingTooth and are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (with Linux 2.4.6 and higher).
“This issue allows attackers to freely execute arbitrary code within Bluetooth range, while Intel attributed this flaw to privilege escalation and information disclosure”, – say Google experts.
Google engineer Andy Nguyen discovered this collection of BleedingTooth vulnerabilities. The vulnerabilities were identified as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490, and appeared in the code back in 2012, 2016 and 2018.
The most serious bug in this suite is CVE-2020-12351, which is a type confusion vulnerability that affects Linux 4.8 and above kernels.
The bug has a high severity rating (8.3 points on the CVSS vulnerability rating scale) and can be exploited by an attacker if he is within Bluetooth range and knows the bd address of the target device.
To exploit the bug, an attacker must send a malicious l2cap packet to the victim, which can lead to denial of service (DoS) or arbitrary code execution with kernel privileges. Nguyen stresses that exploiting the problem does not require any user interaction.
The proof-of-concept exploit for CVE-2020-12351 has already been published on GitHub, and a demonstration of the attack in action can be seen in the video below.
The second issue, CVE-2020-12352, is an information leak and affects the Linux 3.6 and higher kernels. This error was assigned a medium severity category (5.3 on the CVSS).
“Knowing the bd-address of the victim, a remote attacker at a short distance can obtain information about the kernel stack containing various pointers that can be used to predict the memory structure and bypass KASLR. The leak may contain other valuable data, including encryption keys”, – explain the researchers at Google.
The third vulnerability, CVE-2020-24490 (5.3 score of CVSS), is a heap buffer overflow that affects Linux kernel version 4.19 and above. In this case, a remote attacker within a short distance of a vulnerable device can also achieve denial of service and even execute arbitrary code with kernel privileges.
Google researchers note that only devices equipped with Bluetooth 5 chips and which are in scan mode are affected, but attackers can use malicious chips for attacks.
In turn, specialists from Intel, which is one of the main participants in the BlueZ project, write that the BlueZ developers have already announced patches for all three discovered problems. Experts now recommend asap upgrading Linux kernel to version 5.9, which was released over the weekend.
Let me remind you that recently I talked about the IPStorm botnet, which, among other things, actively attacks Linux devices.