Pierluigi Paganini October 14, 2020

Google security researcher discovered Bluetooth vulnerabilities (BleedingTooth) in the Linux kernel that could allow zero-click attacks.

Andy Nguyen, a Google security researcher, has found Bluetooth vulnerabilities, referred to as BleedingTooth, in the Linux kernel that could be exploited by attackers to run arbitrary code or access sensitive information.

The BleedingTooth flaws are tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490.

The most severe of the vulnerabilities is a heap-based type confusion flaw (CVE-2020-12351) that has been rated as high severity and received a CVSS score of 8.3 out of 10.

A remote attacker within the Bluetooth range of the victim can exploit the flaw by knowing the bd address of the target device. The attacker can trigger the vulnerability by sending a malicious l2cap packet, which can lead to denial of service or even execution of arbitrary code, with kernel privileges.

According to the Google security researcher, the issue is a zero-click flaw that means that it does not require user interaction to be exploited.

Nguyen released a Proof-of-concept code for this vulnerability an exploit along with a video PoC demonstrating the issue.

The second issue found by the expert is a stack-based information leak that is tracked as CVE-2020-12352. The flaw impacts Linux kernel 3.6 and higher, it is classified as medium severity and received a CVSS score of 5.3.

“A remote attacker in short distance knowing the victim’s bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys,” reads the security advisory published by Google.

The third vulnerability tracked as CVE-2020-24490, is a heap-based buffer overflow that resides in net/bluetooth/hci_event.c. and affects Linux kernel 4.19 and higher.

The vulnerability is classified as medium risk and received a CVSS score of 5.3.

“A remote attacker in short distance can broadcast extended advertising data and cause denial of service or possibly arbitrary code execution with kernel privileges on victim machines if they are equipped with Bluetooth 5 chips and are in scanning mode. Malicious or vulnerable Bluetooth chips (e.g. compromised by BLEEDINGBIT or similar) can trigger the vulnerability as well.” reads the security advisory.

The researchers published the PoC code for both issue on GitHub.

Pierluigi Paganini

(SecurityAffairs – hacking, BleedingTooth)

[adrotate banner=”5″]

[adrotate banner=”13″]