Google and Intel warn of higher-severity Bluetooth security bug in Linux

Stylized image of a floating padlock.

Google and Intel are warning of a superior-severity Bluetooth flaw in all but the most recent model of the Linux Kernel. Though a Google researcher stated the bug permits seamless code execution by attackers inside of Bluetooth assortment, Intel is characterizing the flaw as providing an escalation of privileges or the disclosure of information and facts.

The flaw resides in BlueZ, the application stack that by default implements all Bluetooth core protocols and levels for Linux. Aside from Linux laptops, it really is used in quite a few shopper or industrial World-wide-web-of-matters devices. It works with Linux versions 2.4.6 and later on.

In look for of facts

So far, tiny is recognised about BleedingTooth, the title presented by Google engineer Andy Nguyen, who stated that a site put up will be posted “soon.” A Twitter thread and a YouTube video clip provide the most detail and give the impact that the bug provides a reliable way for close by attackers to execute destructive code of their choice on susceptible Linux products that use BlueZ for Bluetooth.

“BleedingTooth is a established of zero-simply click vulnerabilities in the Linux Bluetooth subsystem that can enable an unauthenticated remote attacker in brief length to execute arbitrary code with kernel privileges on vulnerable devices,” the researcher wrote. He reported his discovery was motivated by study that led to BlueBorne, an additional evidence-of-notion exploit that authorized attackers to deliver commands of their preference with no demanding system end users simply click any links, connect to a rogue Bluetooth device, or consider any other action small of acquiring Bluetooth turned on.

Below is the YouTube movie demonstrating how the exploit operates.

BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution

Intel, in the meantime, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information and facts-disclosure vulnerability. The advisory assigned a severity rating of 8.3 out of a possible 10 to CVE-2020-12351, a person of a few distinctive bugs that comprise BleedingTooth.

“Potential protection vulnerabilities in BlueZ could let escalation of privilege or details disclosure,” the advisory states. “BlueZ is releasing Linux kernel fixes to tackle these opportunity vulnerabilities.”

Intel, which is a primary contributor to the BlueZ open up resource undertaking, said that the most helpful way to patch the vulnerabilities is to update to Linux kernel variation 5.9, which was posted on Sunday. Those who cannot up grade to version 5.9 can put in a collection of kernel patches the advisory back links to. Maintainers of BlueZ did not immediately respond to email messages asking for added particulars about this vulnerability.

Resource connection


Don't worry we don't spam

We will be happy to hear your thoughts

      Leave a reply

      Enable registration in settings - general