News: 0000834297

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

BleedingTooth: critical kernel Bluetooth vulnerability

([Security] Oct 14, 2020 17:00 UTC (Wed) (jake))


Several flaws in the [1]BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported [2]by Intel and by Google ( [3]GHSA-h637-c88j-47wq , [4]GHSA-7mh3-gq28-gfrq , and [5]GHSA-ccx2-w2r4-x649 ). They are collectively being called "BleedingTooth", and more information [6]will be forthcoming , though there is already a [7]YouTube video demonstrating remote code execution using BleedingTooth.



[1] http://www.bluez.org/

[2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html

[3] https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq

[4] https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq

[5] https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649

[6] https://twitter.com/theflow0/status/1316071793707364353

[7] https://www.youtube.com/watch?v=qPYrLRausSw

BleedingTooth: critical kernel Bluetooth vulnerability

None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?

BleedingTooth: critical kernel Bluetooth vulnerability

None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?

BleedingTooth: critical kernel Bluetooth vulnerability

I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?

BleedingTooth: critical kernel Bluetooth vulnerability

I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?

BleedingTooth: critical kernel Bluetooth vulnerability

Actually, looking at Linus' master branch (and v5.9), only

commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.

All fixes from Intel don't even appear in master, even less in v5.9:

[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."

[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/

[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/

[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/

[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/

BleedingTooth: critical kernel Bluetooth vulnerability

Actually, looking at Linus' master branch (and v5.9), only

commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.

All fixes from Intel don't even appear in master, even less in v5.9:

[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."

[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/

[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/

[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/

[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/

BleedingTooth: critical kernel Bluetooth vulnerability

So... more or less every Android phone is vulnerable to one or more of these whenever bluetooth is powered, and these days it's usually on all the time because of covid-19 proximity detection. And most of them will no doubt not see security fixes for many months, if ever.

Wonderful.

It is either through the influence of narcotic potions, of which all
primitive peoples and races speak in hymns, or through the powerful approach
of spring, penetrating with joy all of nature, that those Dionysian stirrings
arise, which in their intensification lead the individual to forget himself
completely. . . .Not only does the bond between man and man come to be forged
once again by the magic of the Dionysian rite, but alienated, hostile, or
subjugated nature again celebrates her reconciliation with her prodigal son,
man.
-- Fred Nietzsche, The Birth of Tragedy