BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Bluetooth vulnerabilities that a Google security researcher has identified in the Linux kernel could be exploited to run arbitrary code or access sensitive information.

Referred to as BleedingTooth, the issues were identified by Andy Nguyen, a security engineer from Google, and are tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490. They were introduced in 2016, 2012, and 2018, respectively.

The most severe of these flaws is CVE-2020-12351, a heap-based type confusion that affects Linux kernel 4.8 and higher. The issue features a high severity rating (CVSS score of 8.3).

The bug can be exploited by a remote attacker within Bluetooth range of the victim and which knows the bd address of the target device. To trigger the flaw, the attacker would have to send a malicious l2cap packet, which can lead to denial of service or even execution of arbitrary code, with kernel privileges.

An attacker looking to trigger the vulnerability can also use a malicious Bluetooth chip for that. Proof-of-concept code for an exploit can be found on GitHub.

The bug, Nguyen explains, does not require user interaction to be exploited (it is a zero-click vulnerability). A video demonstrating the issue is embedded below.

The second issue, CVE-2020-12352, is a stack-based information leak that impacts Linux kernel 3.6 and higher. The bug is considered medium severity (CVSS score of 5.3).

“A remote attacker in short distance knowing the victim’s bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys,” Google’s researchers explain.

Tracked as CVE-2020-24490 and considered medium risk (CVSS score of 5.3), the third vulnerability is a heap-based buffer overflow that affects Linux kernel 4.19 and higher.

A remote attacker within short range of a vulnerable device can trigger the flaw through broadcasting extended advertising data. This could lead to denial of service or even arbitrary code execution with kernel privileges.

Only devices that feature Bluetooth 5 chips and which are in scanning mode are vulnerable to this flaw, but an attacker could also use malicious chips to trigger the vulnerability, Google’s researchers note.

PoC code for both medium-severity flaws has been published on GitHub.

BlueZ, the official Linux Bluetooth protocol stack, has announced Linux kernel fixes that patch all three of these security issues, Intel reveals. The company notes that the vulnerabilities affect “all Linux kernel versions before 5.9 that support BlueZ.”

The tech giant recommends updating Linux kernel to version 5.9 or later. Provided that an update is not possible, several kernel fixes are available to address the issues.

Related: BLURtooth Vulnerability Can Allow Bluetooth MITM Attacks

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

Related: Bluetooth Vulnerability Allows Attackers to Impersonate Previously Paired Devices