Google has released details of a high-severity flaw affecting the Bluetooth stack in the Linux kernel versions below Linux 5.9 that support BlueZ.
Linux 5.9 was just released two days ago and Intel is recommending in its advisory for the high-severity Bluetooth flaw, CVE-2020-12351, to update the Linux kernel to version 5.9 or later.
"Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access," Intel notes in its advisory for CVE-2020-12351. BlueZ is found on Linux-based IoT devices and is the official Linux Bluetooth stack.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Intel says the BlueZ project is releasing Linux kernel fixes to address the high-severity flaw, as well as fixes for two medium-severity flaws, CVE-2020-12352 and CVE-2020-24490.
CVE-2020-12352 is due to improper access control in BlueZ that "may allow an unauthenticated user to potentially enable information disclosure via adjacent access." CVE-2020-24490 refers to BlueZ's lack of proper buffer restrictions that "may allow an unauthenticated user to potentially enable denial of service via adjacent access."
Andy Nguyen, a security engineer from Google, reported the bugs to Intel.
Researchers from Purdue University last month claimed that BlueZ was also vulnerable to BLESA (Bluetooth Low Energy Spoofing Attack), along with the Fluoride (Android), and the iOS BLE stack.
Google has detailed the bugs on the Google Security Research Repository on GitHub. Nguyen's description of the BleedingTooth vulnerability sounds more serious than Intel's write-up.
Nguyen says it's a "zero click" Linux Bluetooth Remote Code Execution flaw and has published a short video demonstrating the attack using commands on one Dell XPS 15 laptop running Ubuntu to open the calculator on a second Dell Ubuntu laptop without any action taken on the victim's laptop.
BlueZ contains several Bluetooth modules including the Bluetooth kernel subsystem core, and L2CAP and SCO audio kernel layers.
According to Francis Perry of Google's Product Security Incident Response Team, an attacker within Bluetooth range who knows the target's Bluetooth device address (bd address) can execute arbitrary code with kernel privileges. BleedingTooth affects Linux kernel versions 5.8 and higher but not Linux 5.9 and higher.
"A remote attacker in short distance knowing the victim's bd address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well," Perry writes.
SEE: Network security policy (TechRepublic Premium)
Google has also published proof-of-concept exploit code for the BleedingTooth vulnerability.
Google plans to publish further details about BleedingTooth shortly on the Google Security Blog.
Intel recommends installing the following kernel fixes to address these issues if a kernel upgrade is not possible.