Google and Intel warn of high-severity Bluetooth security bug in Linux

[Karlston]

Google and Intel warn of high-severity Bluetooth security bug in Linux

Yes, it's serious, but high severity doesn't necessarily mean high risk.

Enlarge

Getty Images

48 with 32 posters participating, including story author

Google and Intel are warning of a high-severity Bluetooth flaw in all but the most recent version of the Linux Kernel. While a Google researcher said the bug allows seamless code execution by attackers within Bluetooth range, Intel is characterizing the flaw as providing an escalation of privileges or the disclosure of information.

 

The flaw resides in BlueZ, the software stack that by default implements all Bluetooth core protocols and layers for Linux. Besides Linux laptops, it's used in many consumer or industrial Internet-of-things devices. It works with Linux versions 2.4.6 and later.

In search of details

So far, little is known about BleedingTooth, the name given by Google engineer Andy Nguyen, who said that a blog post will be published “soon.” A Twitter thread and a YouTube video provide the most detail and give the impression that the bug provides a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices that use BlueZ for Bluetooth.

 

“BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices,” the researcher wrote. He said his discovery was inspired by research that led to BlueBorne, another proof-of-concept exploit that allowed attackers to send commands of their choice without requiring device users click any links, connect to a rogue Bluetooth device, or take any other action short of having Bluetooth turned on.

 

Below is the YouTube video demonstrating how the exploit works.

BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution

 

Intel, meanwhile, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information-disclosure vulnerability. The advisory assigned a severity score of 8.3 out of a possible 10 to CVE-2020-12351, one of three distinct bugs that comprise BleedingTooth.

 

“Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure,” the advisory states. “BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.”

 

Intel, which is a primary contributor to the BlueZ open source project, said that the most effective way to patch the vulnerabilities is to update to Linux kernel version 5.9, which was published on Sunday. Those who can’t upgrade to version 5.9 can install a series of kernel patches the advisory links to. Maintainers of BlueZ didn’t immediately respond to emails asking for additional details about this vulnerability.

No reason to (kernel) panic

The lack of details aside, there’s not much reason for people to worry about a vulnerability like this one. Like almost all Bluetooth security flaws, BleedingTooth requires proximity to a vulnerable device. It also requires highly specialized knowledge and works on only a tiny fraction of the world’s Bluetooth devices. Those limitations greatly reduce the number of people—if any—who are in a position to successfully carry out an attack.

 

In the small number of cases where financially motivated attackers do target wireless devices within range—for instance, when credit card fraudsters used telescopic antennas outside a Marshalls store to hack retailer TJX more than a decade ago—they don’t use experimental, state-of-the-art exploits that work on a narrow range of devices. They use tried-and-true hacks that work universally.

 

“I don’t really worry about bugs like these,” Dan Guido, mobile security specialist and the CEO of security firm Trail of Bits, told me. “I’m glad someone is finding them and getting them fixed, but it’s not a big concern for me.”

 

The lack of real-world risk is a good thing. Many IoT devices receive few if any security updates, making it likely that many devices used in both homes and businesses will remain vulnerable to BleedingTooth for the rest of the time they’re used. Many of these devices were likely already vulnerable to BlueBorne and several other security bugs that have bitten Bluetooth in the past. So far, there are no reports of any of them being actively exploited.

 

 

Google and Intel warn of high-severity Bluetooth security bug in Linux

 

[steven36]

It's not  Internet  exploitable The attacker has to be within Bluetooth range and have to know  the target's Bluetooth device address , Also the attacker with have to know you was using Intel Bluez Linux Bluetooth protocol stack. Intel done wrote the patches  Linux users are just waiting for them to be merged  into  the Linux kernel  .

https://www.zdnet.com/article/google-warns-of-severe-bleedingtooth-bluetooth-flaw-in-linux-kernel/

 

Patches

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://lore.kernel.org/linux-bluetooth/[email protected]/

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e

 

[steven36]

Ubuntu  is already  working on the  patches Also  unless  you use  blue tooth devices  there is a off switch  if your afraid some spook is  trying to hack you  like James Bond 007 or Agent 99  .

CVE-2020-12351  Priority High

https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12351.html

 

CVE-2020-12352  Priority Medium

https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12352.html

 

CVE-2020-24490  Priority Medium

https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-24490.html

 

Linux  in the kernel  don't get many high rated  flaws   but still  i like  keeping all patched  up.   So i never  use the generic kernel anymore  unless  it's on my test machine.  it's best to always just use the ones  your distro patches.  In  Ubuntu LTS  it will always have 2 patched kernels  the 1st LTS  the stack wont be upgraded unless you upgrade it  in the terminal . Point releases  will  always  give  you  new kernels   . Upgrading are never a problem  if you use open source drivers  for Intel  every since i used Linux  AMD not been a problem  for me since 16.04  when they got rid of there closed drivers  that was  fixed in like 16.04.3  . 

 

NVIDIA are the ones you have  to watch out for  you need  make sure  you update the closed driver before  you upgrade the stack and kernel  .  Ubuntu now has the driver in the ISO  and in the driver  manger  but some  distros dont . If you dont  want to update your closed   NVIDIA driver  you  just install  the 1st LTS release  and never upgrade  the stack. You will  get all the  point release updates just you will be using a older kernel Ubuntu will patch  the old one  for 5 years  for free. Many quality fixes  get  backported as well  . I know Wireguard is now  baked  in 18.04 kernel  and i  no longer need a ppa   to install dkms for Wireguard  anymore. 

 

I  always  keep  a  eye out for Agent  99