News BleedingTooth: critical kernel Bluetooth vulnerability (Linux)

grandpaflo

Member
Jan 18, 2011
139
2
81
Apologies for the messy quote, but it's important:
-------------------------------------------------------------

BlueZ Advisory: Severity rating, HIGH - All Linux kernel versions before 5.9 that support BlueZ


The latest security information on Intel® products.
BlueZ Advisory
Intel ID: INTEL-SA-00435
Advisory Category: Software
Impact of vulnerability: Escalation of Privilege, Information Disclosure
Severity rating: HIGH
Original release: 10/13/2020
Last revised: 10/13/2020
Show more Show less View all
Summary:

Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.
Vulnerability Details:

CVEID: CVE-2020-12351

Description: Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

CVSS Base Score: 8.3 High

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H



CVEID: CVE-2020-12352

Description: Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N



CVEID: CVE-2020-24490

Description: Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


Affected Products:

All Linux kernel versions before 5.9 that support BlueZ.
Recommendations:

Intel recommends updating the Linux kernel to version 5.9 or later.

If a kernel upgrade is not possible, Intel recommends instead installing the following kernel fixes to address these issues:







Acknowledgements:

Intel would like to thank Andy Nguyen, security engineer from Google for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Revision History
Revision Date Description
1.0 10/13/2020 Initial Release

-----------------
 

ch33zw1z

Lifer
Nov 4, 2004
37,734
18,004
146
According to this conversation https://lwn.net/Articles/834297/#Comments

It appears Android isn't affected. So that would leave laptops and desktops that run BT, and leaves out servers. More importantly, it could affect Raspberry Pi's tho, lots of those out there. Maybe more to come? Or just swept under the rug when it's patched soon.

thanks for posting this!