This 'BleedingTooth' Flaw Found By Google In Linux-based Devices, Is A Zero-Click

When finding security flaws inside software, security researchers need to disclose them safely and responsibly. That, for the sake of users, and cyber security in general.

This is exactly what Andy Nguyen did, after he found a set of zero-click vulnerabilities in the Linux Bluetooth software stack.

According to the Google security researcher, the bugs allow nearby unauthenticated, remote attacker to execute arbitrary code with kernel privileges on vulnerable devices.

Nguyen explained that the three flaws that are collectively dubbed the 'BleedingTooth', reside in the open-source BlueZ protocol stack that offers support for many of the core Bluetooth layers and protocols for Linux-based systems such as laptops and IoT devices.

The first and the most severe is a heap-based type confusion (CVE-2020-12351, which has a CVSS score of 8.3).

It affects Linux kernel 4.8 and higher, and is also present in the Logical Link Control and Adaptation Protocol (L2CAP) of the Bluetooth standard, which provides multiplexing of data between different higher layer protocols.

The news quickly turned the cyber security world into a bit of a frenzy.

BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
Blog post available soon on: https://t.co/2SDRm6PZaQ
Google Security Research Repository: https://t.co/0HolidyWvV
Intel Security Advisory: https://t.co/kfGj3MWajy
Video: https://t.co/sE35AoD0V4
— Andy Nguyen (@theflow0) October 13, 2020

According to Google in its advisory on GitHub:

"A remote attacker in short distance knowing the victim's bd address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well."

The second vulnerability (CVE-2020-12352), Google wrote that:

"A remote attacker in short distance knowing the victim's bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys. Malicious Bluetooth chips can trigger the vulnerability as well."

Lastly, a third flaw (CVE-2020-24490), Google wrote that:

"A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c."

Knowing the severity of this BleedingTooth, Andy Nguyen reported the flaws privately to the stack’s maintainer, Intel.

Intel, which has significantly invested in the BlueZ project, has also issued an alert characterizing BleedingTooth as a privilege escalation flaw.

For its part, the company has recommended installing the kernel fixes to mitigate the risk associated with these issues.

"Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure," Intel said of the flaws. "BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities."

The fixes addressed the BleedingTooth bugs, as well as some other mostly mundane fixes.

"Intel would like to thank Andy Nguyen, security engineer from Google for reporting these issues."

Previously and just recently before this, another Bluetooth flaw dubbed the BLESA was found affecting billions of devices.

Published:

20/10/2020

Search form

This 'BleedingTooth' Flaw Found By Google In Linux-based Devices, Is A Zero-Click