News: 0000834297

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

BleedingTooth: critical kernel Bluetooth vulnerability

([Security] Oct 14, 2020 17:00 UTC (Wed) (jake))


Several flaws in the [1]BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported [2]by Intel and by Google ( [3]GHSA-h637-c88j-47wq , [4]GHSA-7mh3-gq28-gfrq , and [5]GHSA-ccx2-w2r4-x649 ). They are collectively being called "BleedingTooth", and more information [6]will be forthcoming , though there is already a [7]YouTube video demonstrating remote code execution using BleedingTooth.



[1] http://www.bluez.org/

[2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html

[3] https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq

[4] https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq

[5] https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649

[6] https://twitter.com/theflow0/status/1316071793707364353

[7] https://www.youtube.com/watch?v=qPYrLRausSw

BleedingTooth: critical kernel Bluetooth vulnerability

None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?

BleedingTooth: critical kernel Bluetooth vulnerability

None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?

BleedingTooth: critical kernel Bluetooth vulnerability

I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?

BleedingTooth: critical kernel Bluetooth vulnerability

I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?

BleedingTooth: critical kernel Bluetooth vulnerability

Actually, looking at Linus' master branch (and v5.9), only

commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.

All fixes from Intel don't even appear in master, even less in v5.9:

[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."

[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/

[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/

[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/

[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/

BleedingTooth: critical kernel Bluetooth vulnerability

Actually, looking at Linus' master branch (and v5.9), only

commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.

All fixes from Intel don't even appear in master, even less in v5.9:

[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."

[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/

[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/

[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/

[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/

BleedingTooth: critical kernel Bluetooth vulnerability

So... more or less every Android phone is vulnerable to one or more of these whenever bluetooth is powered, and these days it's usually on all the time because of covid-19 proximity detection. And most of them will no doubt not see security fixes for many months, if ever.

Wonderful.

Well, he thought, since neither Aristotelian Logic nor the disciplines
of Science seemed to offer much hope, it's time to go beyond them...
Drawing a few deep even breaths, he entered a mental state practiced
only by Masters of the Universal Way of Zen. In it his mind floated freely,
able to rummage at will among the bits and pieces of data he had absorbed,
undistracted by any outside disturbances. Logical structures no longer
inhibited him. Pre-conceptions, prejudices, ordinary human standards vanished.
All things, those previously trivial as well as those once thought important,
became absolutely equal by acquiring an absolute value, revealing relationships
not evident to ordinary vision. Like beads strung on a string of their own
meaning, each thing pointed to its own common ground of existence, shared by
all. Finally, each began to melt into each, staying itself while becoming
all others. And Mind no longer contemplated Problem, but became Problem,
destroying Subject-Object by becoming them.
Time passed, unheeded.
Eventually, there was a tentative stirring, then a decisive one, and
Nakamura arose, a smile on his face and the light of laughter in his eyes.
-- Wayfarer