News: 0000834297

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

BleedingTooth: critical kernel Bluetooth vulnerability

([Security] Oct 14, 2020 17:00 UTC (Wed) (jake))


Several flaws in the [1]BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported [2]by Intel and by Google ( [3]GHSA-h637-c88j-47wq , [4]GHSA-7mh3-gq28-gfrq , and [5]GHSA-ccx2-w2r4-x649 ). They are collectively being called "BleedingTooth", and more information [6]will be forthcoming , though there is already a [7]YouTube video demonstrating remote code execution using BleedingTooth.



[1] http://www.bluez.org/

[2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html

[3] https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq

[4] https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq

[5] https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649

[6] https://twitter.com/theflow0/status/1316071793707364353

[7] https://www.youtube.com/watch?v=qPYrLRausSw

BleedingTooth: critical kernel Bluetooth vulnerability

None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?

BleedingTooth: critical kernel Bluetooth vulnerability

None of these patches are in 5.8.15 or any other recent stable kernel and I can't find them mentioned anywhere in stable@vger.k.o. Who do we need to ping to make them go to stable?

BleedingTooth: critical kernel Bluetooth vulnerability

I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?

BleedingTooth: critical kernel Bluetooth vulnerability

I just informed Greg KH privately about it. He was not made aware of these issues prior to now. What's up with Intel and Google's security disclosure process ?

BleedingTooth: critical kernel Bluetooth vulnerability

Actually, looking at Linus' master branch (and v5.9), only

commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.

All fixes from Intel don't even appear in master, even less in v5.9:

[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."

[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/

[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/

[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/

[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/

BleedingTooth: critical kernel Bluetooth vulnerability

Actually, looking at Linus' master branch (and v5.9), only

commit a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report") appears to have reached upstream.

All fixes from Intel don't even appear in master, even less in v5.9:

[1]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[2]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[3]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

[4]https://lore.kernel.org/linux-bluetooth/20200806181714.32...

It appears that Intel's security advisory is wrong when saying "Intel recommends updating the Linux kernel to version 5.9 or later."

[1] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/

[2] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/

[3] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/

[4] https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/

BleedingTooth: critical kernel Bluetooth vulnerability

So... more or less every Android phone is vulnerable to one or more of these whenever bluetooth is powered, and these days it's usually on all the time because of covid-19 proximity detection. And most of them will no doubt not see security fixes for many months, if ever.

Wonderful.

HOGAN'S HEROES DRINKING GAME --
Take a shot every time:

-- Sergeant Schultz says, "I knoooooowww nooooothing!"
-- General Burkhalter or Major Hochstetter intimidate/insult Colonel Klink.
-- Colonel Klink falls for Colonel Hogan's flattery.
-- One of the prisoners sneaks out of camp (one shot for each prisoner to go).
-- Colonel Klink snaps to attention after answering the phone (two shots
if it's one of our heroes on the other end).
-- One of the Germans is threatened with being sent to the Russian front.
-- Corporal Newkirk calls up a German in his phoney German accent, and
tricks him (two shots if it's Colonel Klink).
-- Hogan has a romantic interlude with a beautiful girl from the underground.
-- Colonel Klink relates how he's never had an escape from Stalag 13.
-- Sergeant Schultz gives up a secret (two shots if he's bribed with food).
-- The prisoners listen to the Germans' conversation by a hidden transmitter.
-- Sergeant Schultz "captures" one of the prisoners after an escape.
-- Lebeau pronounces "colonel" as "cuh-loh-`nell".
-- Carter builds some kind of device (two shots if it's not explosive).
-- Lebeau wears his apron.
-- Hogan says "We've got no choice" when someone claims that the plan is
impossible.
-- The prisoners capture an important German, and sneak him out the tunnel.