Google, Intel Warn on ‘Zero-Click’ Kernel Bug in Linux-Based IoT Devices

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Google and Intel are warning of a high-severity flaw in BlueZ, the Linux Bluetooth protocol stack that provides support for core Bluetooth layers and protocols to Linux-based internet of things (IoT) devices.

According to Google, the vulnerability affects users of Linux kernel versions before 5.9 that support BlueZ. BlueZ, which is an open-source project distributed under GNU General Public License (GPL), features the BlueZ kernel that has been part of the official Linux kernel since version 2.4.6.

The flaw, which Google calls “BleedingTooth,” can be exploited in a “zero-click” attack via specially crafted input, by a local, unauthenticated attacker. This could potentially allow for escalated privileges on affected devices.

“A remote attacker in short distance knowing the victim’s bd [Bluetooth] address can send a malicious l2cap [Logical Link Control and Adaptation Layer Protocol] packet and cause denial of service or possibly arbitrary code execution with kernel privileges,” according to a Google post on Github. “Malicious Bluetooth chips can trigger the vulnerability as well.”

The flaw (CVE-2020-12351) ranks 8.3 out of 10 on the CVSS scale, making it high-severity. It specifically stems from a heap-based type confusion in net/bluetooth/l2cap_core.c. A type-confusion vulnerability is a specific bug that can lead to out-of-bounds memory access and can lead to code execution or component crashes that an attacker can exploit. In this case, the issue is that there is insufficient validation of user-supplied input within the BlueZ implementation in Linux kernel.

Intel, meanwhile, which has placed “significant investment” in BlueZ, addressed the security issue in a Tuesday advisory, recommending that users update the Linux kernel to version 5.9 or later.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top