When finding security flaws inside software, security researchers need to disclose them safely and responsibly. That, for the sake of users, and cyber security in general.
This is exactly what Andy Nguyen did, after he found a set of zero-click vulnerabilities in the Linux Bluetooth software stack.
According to the Google security researcher, the bugs allow nearby unauthenticated, remote attacker to execute arbitrary code with kernel privileges on vulnerable devices.
Nguyen explained that the three flaws that are collectively dubbed the 'BleedingTooth', reside in the open-source BlueZ protocol stack that offers support for many of the core Bluetooth layers and protocols for Linux-based systems such as laptops and IoT devices.
The first and the most severe is a heap-based type confusion (CVE-2020-12351, which has a CVSS score of 8.3).
It affects Linux kernel 4.8 and higher, and is also present in the Logical Link Control and Adaptation Protocol (L2CAP) of the Bluetooth standard, which provides multiplexing of data between different higher layer protocols.
The news quickly turned the cyber security world into a bit of a frenzy.
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
Blog post available soon on: https://t.co/2SDRm6PZaQ
Google Security Research Repository: https://t.co/0HolidyWvV
Intel Security Advisory: https://t.co/kfGj3MWajy
Video: https://t.co/sE35AoD0V4— Andy Nguyen (@theflow0) October 13, 2020
According to Google in its advisory on GitHub:
The second vulnerability (CVE-2020-12352), Google wrote that:
Lastly, a third flaw (CVE-2020-24490), Google wrote that:
Knowing the severity of this BleedingTooth, Andy Nguyen reported the flaws privately to the stack’s maintainer, Intel.
Intel, which has significantly invested in the BlueZ project, has also issued an alert characterizing BleedingTooth as a privilege escalation flaw.
For its part, the company has recommended installing the kernel fixes to mitigate the risk associated with these issues.
"Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure," Intel said of the flaws. "BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities."
The fixes addressed the BleedingTooth bugs, as well as some other mostly mundane fixes.
"Intel would like to thank Andy Nguyen, security engineer from Google for reporting these issues."
Previously and just recently before this, another Bluetooth flaw dubbed the BLESA was found affecting billions of devices.