BleedingTooth: critical kernel Bluetooth vulnerability
([Security] Oct 14, 2020 17:00 UTC (Wed) (jake))
- Reference: 0000834297
- News link: https://lwn.net/Articles/834297
- Source link:
Several flaws in the [1]BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported [2]by Intel and by Google ( [3]GHSA-h637-c88j-47wq , [4]GHSA-7mh3-gq28-gfrq , and [5]GHSA-ccx2-w2r4-x649 ). They are collectively being called "BleedingTooth", and more information [6]will be forthcoming , though there is already a [7]YouTube video demonstrating remote code execution using BleedingTooth.
[1] http://www.bluez.org/
[2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
[3] https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
[4] https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
[5] https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
[6] https://twitter.com/theflow0/status/1316071793707364353
[7] https://www.youtube.com/watch?v=qPYrLRausSw
[1] http://www.bluez.org/
[2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
[3] https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
[4] https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
[5] https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
[6] https://twitter.com/theflow0/status/1316071793707364353
[7] https://www.youtube.com/watch?v=qPYrLRausSw
BleedingTooth: critical kernel Bluetooth vulnerability
None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?
BleedingTooth: critical kernel Bluetooth vulnerability
None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?
BleedingTooth: critical kernel Bluetooth vulnerability
I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?
BleedingTooth: critical kernel Bluetooth vulnerability
I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?
BleedingTooth: critical kernel Bluetooth vulnerability
Actually, looking at Linus' master branch (and v5.9), only
commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.
All fixes from Intel don't even appear in master, even less in v5.9:
[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."
[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
BleedingTooth: critical kernel Bluetooth vulnerability
Actually, looking at Linus' master branch (and v5.9), only
commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.
All fixes from Intel don't even appear in master, even less in v5.9:
[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...
It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."
[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
BleedingTooth: critical kernel Bluetooth vulnerability
So... more or less every Android phone is vulnerable to one or more of these whenever bluetooth is powered, and these days it's usually on all the time because of covid-19 proximity detection. And most of them will no doubt not see security fixes for many months, if ever.
Wonderful.