Security researchers at Google and Intel warn of serious Bluetooth vulnerabilities that threaten all but the most recent Linux kernel.
Not much is known yet about new Bluetooth vulnerabilities, but they already have a name with BleedingTooth (CVE-2020-12351, CVE-2020-12352, CVE-2020-24490). They are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (Linux 2.4.6 and higher).
Andy Nguyen, a security researcher at Google who discovered BleedingTooth vulnerabilities, says these security gaps allow attackers to freely execute arbitrary code while in Bluetooth range. At the same time, Intel associates this flaw with privilege escalation and information disclosure.
BleedingTooth Bluetooth Vulnerabilities
The most serious bug in this suite is CVE-2020-12351, which is a Type Confusion vulnerability that affects Linux 4.8 and above kernels. The bug has a high severity rating (8.3 points on the CVSS vulnerability rating scale) and can be exploited by an attacker if he is within the Bluetooth range and knows the Bluetooth Device Address (or BD_ADDR) of the target device.
To exploit the bug, an attacker must send a malicious l2cap packet to the victim, which can lead to denial of service (DoS) or arbitrary code execution with kernel privileges. Nguyen stresses that exploiting the problem does not require any user interaction.
Proof-of-concept exploit for CVE-2020-12351 has already been published on GitHub , and a demonstration of the attack in action can be seen in the video below.
The second issue, CVE-2020-12352, is an information leak and affects the Linux 3.6 and higher kernels. This error was assigned a medium severity category (5.3 on the CVSS).
“A remote attacker in short distance knowing the victim’s bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys. Malicious Bluetooth chips can trigger the vulnerability as well.” — explains the researchers at Google
The third vulnerability, CVE-2020-24490 (CVSS score of 5.3), is a heap buffer overflow that affects Linux kernel version 4.19 and above. In this case, a remote attacker within a short distance of the vulnerable device can also achieve denial of service and even execute arbitrary code with kernel privileges.
Google researchers note that only devices equipped with Bluetooth 5 chips and in scan mode are affected, but attackers can use malicious chips for attacks.
The loophole is likely to pose particular problems for Linux-based IoT devices that actively use Bluetooth. While Linux distributions roll out the patches as soon as they are available, manufacturers of Internet of Things devices often only maintain them very briefly, poorly, or not at all — the gaps in these devices are often closed very late or never. Android has its own Bluetooth implementation and is therefore not affected.