Intel says the BlueZ project is releasing Linux kernel fixes to address the high-severity flaw, as well as fixes for two medium-severity flaws, CVE-2020-12352 and CVE-2020-24490.
CVE-2020-12352 is due to improper access control in BlueZ that “may allow an unauthenticated user to potentially enable information disclosure via adjacent access.” CVE-2020-24490 refers to BlueZ’s lack of proper buffer restrictions that “may allow an unauthenticated user to potentially enable denial of service via adjacent access.”
Andy Nguyen, a security engineer from Google, reported the bugs to Intel.
Researchers from Purdue University last month claimed that BlueZ was also vulnerable to BLESA (Bluetooth Low Energy Spoofing Attack), along with the Fluoride (Android), and the iOS BLE stack.
Nguyen says it’s a “zero click” Linux Bluetooth Remote Code Execution flaw and has published a short video demonstrating the attack using commands on one Dell XPS 15 laptop running Ubuntu to open the calculator on a second Dell Ubuntu laptop without any action taken on the victim’s laptop.
BlueZ contains several Bluetooth modules including the Bluetooth kernel subsystem core, and L2CAP and SCO audio kernel layers.
According to Francis Perry of Google’s Product Security Incident Response Team, an attacker within Bluetooth range who knows the target’s Bluetooth device address (bd address) can execute arbitrary code with kernel privileges. BleedingTooth affects Linux kernel versions 5.8 and higher but not Linux 5.9 and higher.
“A remote attacker in short distance knowing the victim’s bd address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well,” Perry writes.