Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Google Intel Privacy Linux

Google and Intel Warn of High-Severity Bluetooth Security Bug In Linux (arstechnica.com) 41

An anonymous reader quotes a report from Ars Technica: Google and Intel are warning of a high-severity Bluetooth flaw in all but the most recent version of the Linux Kernel. While a Google researcher said the bug allows seamless code execution by attackers within Bluetooth range, Intel is characterizing the flaw as providing an escalation of privileges or the disclosure of information. The flaw resides in BlueZ, the software stack that by default implements all Bluetooth core protocols and layers for Linux. Besides Linux laptops, it's used in many consumer or industrial Internet-of-things devices. It works with Linux versions 2.4.6 and later. So far, little is known about BleedingTooth, the name given by Google engineer Andy Nguyen, who said that a blog post will be published "soon." A Twitter thread and a YouTube video provide the most detail and give the impression that the bug provides a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices that use BlueZ for Bluetooth.

Intel, meanwhile, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information-disclosure vulnerability. The advisory assigned a severity score of 8.3 out of a possible 10 to CVE-2020-12351, one of three distinct bugs that comprise BleedingTooth. "Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure," the advisory states. "BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities." Intel, which is a primary contributor to the BlueZ open source project, said that the most effective way to patch the vulnerabilities is to update to Linux kernel version 5.9, which was published on Sunday. Those who can't upgrade to version 5.9 can install a series of kernel patches the advisory links to. Maintainers of BlueZ didn't immediately respond to emails asking for additional details about this vulnerability.
Ars Technica points out that since BleedingTooth requires proximity to a vulnerable device, there's not much reason for people to worry about this vulnerability. "It also requires highly specialized knowledge and works on only a tiny fraction of the world's Bluetooth devices," it adds.
This discussion has been archived. No new comments can be posted.

Google and Intel Warn of High-Severity Bluetooth Security Bug In Linux

Comments Filter:
  • by sk999 ( 846068 ) on Wednesday October 14, 2020 @08:43PM (#60608562)

    sudo systemctl stop bluetooth

  • by oldgraybeard ( 2939809 ) on Wednesday October 14, 2020 @08:43PM (#60608564)
    I usually turn off Bluetooth when I remember after installs ;) lol
    I normally use wired everything. But I am starting to play with Bluetooth on a pi so this maybe an issue.
  • Windows used to have a reasonable file-transfer over Bluetooth, but they broke it so bad it's difficult to use. Windows won't generally reconnect Bluetooth devices.Apple works to connect--even if the laptop appears to be sleeping. Android also doesn't reconnect very well. Bluetooth never really became a good transceiver for mice because of latency and power issues. Well, at least this Linux Bluetooth bug was submitted. And now for the rest of the mess?
    • I'd rather just plug in a cable to transfer files, really. If I have to do it over a wireless network, it'd be 802.11something.

    • > And now for the rest of the mess?

      The news from a couple weeks ago is that Bluetooth's pairing mechanism is irreparably broken when Bluetooth LE is available.

      Some researchers did the work to run it through a formal verifier, and bad news came out the other end.

      Whoopsie, but also this is a recurring and very dangerous problem. Bluetooth and WiFi are done in secret by an industry consortium and they're always broken (WiFI 6 is insecure out of the gate - wait for the update). The IETF and RFC process is

  • Seems like Bluetooth has been pretty open from the start. And Bluetooth audio is a mess of different standards and quality. Bluetooth speakers are an abomination. Every Bluetooth speaker should be collected and destroyed.
    • "Every Bluetooth speaker should be collected and destroyed." - Just when I got used to the nice Chinese lady yelling at me: "Your Bluetooth device is uh, ready to pal!!!"
    • Spoken like someone who hasn't used a modern bluetooth audio device. Yes, if you use the lowest-common-denominator SBC codec you get bitcrushed garbage, just like in the early days of low-bitrate MP3. Did you try to tell the world that MP3 was useless and should be set on fire then, and someone subsequently told you to turn on VBR transcoding and all of a sudden it wasn't artifacted and terrible?

      This is the same thing. Try using AAC or AptX encoding over the bluetooth link which you can find in most stuf

  • by Rosco P. Coltrane ( 209368 ) on Wednesday October 14, 2020 @09:15PM (#60608622)

    I'm always slightly annoyed with those articles about "severe bugs" found in this or that software stack. To do a proper risk analysis [advisera.com], you need to know at least the impact and probability of occurrence. Sensationalist articles always ever report on severity and nothing else.

    In this case, the risk is low.

    • by raymorris ( 2726007 ) on Wednesday October 14, 2020 @10:46PM (#60608772) Journal

      As you may know, the CVSS score includes likelihood of exploit. Somebody with knowledge of the vulnerabilty scored it on CVSS and it got an 8.3 (of 10). That's pretty high.

      A CVSS 10 would be last month's Active Directory vulnerability that allows just anyone to become domain admin and completely destroy your entire company. So 8.3 is pretty high, if that rating is accurate.

      "If" is a big word here because very little information has been released at this point. I'll be curious to see what comes out in the next few days.

    • Re: (Score:3, Insightful)

      by Canberra1 ( 3475749 )
      The risk is HIGH. Because nobody is taught bench-testing these days, and no employer dares approve things like state testing, especially on protocols that have been extended to multiple times since original conception. Heartbleed, TCP/IP, SMB, Negotiation, error recovery - you name it. Every single protocol since SNA (as good as benchmark as any) has not only been defective, but also passed many reviews(excluding OpenBSD because their auditors seem well trained). The risk is high, because once a protocol fa
      • > Lastly, the risk is high, because tacked on extensions are usually hurried to market with inadequate testing.

        It's exacerbated by object oriented programming, which programmers are discouraged or even explicitly discouraged from reviewing the other layers of the stack for violations of their published API or for the mismatches between the specification and the actual implementation. Extremely narrow focus on very limited tasks can be productive, but the person or people who understand interactions ofte

        • Re: (Score:3, Informative)

          by krenaud ( 1058876 )

          It's exacerbated by object oriented programming, which programmers are discouraged or even explicitly discouraged from reviewing the other layers of the stack for violations of their published API or for the mismatches between the specification and the actual implementation.

          What? In what respect does OOP differ from any other programming paradigm when it comes to using other layers / libraries? Regardless if I am using C, assembler, C++, C# or F# I expect that functions / APIs / libraries / OS calls fulfil their promise. If I had to verify the whole stack including glibc and kernel each time I wrote code I wouldn't get much actual coding done. The BT code in question is written in C (not object oriented) and the bug is due unitialized stack variables and making a callback wit

          • by Antique Geekmeister ( 740220 ) on Thursday October 15, 2020 @03:26AM (#60609154)

            > In what respect does OOP differ from any other programming paradigm when it comes to using other layers / libraries

            It's the insistence that there is no point to looking at other layers, and the active punishment of programmers or students who dare to look at the other layers. It encourages unit testing that tests only the one desired new feature, and doesn't test the interaction with the rest of the stack.

            • by nagora ( 177841 )

              > In what respect does OOP differ from any other programming paradigm when it comes to using other layers / libraries

              It's the insistence that there is no point to looking at other layers, and the active punishment of programmers or students who dare to look at the other layers. It encourages unit testing that tests only the one desired new feature, and doesn't test the interaction with the rest of the stack.

              This is not OOP's problem. This is C++/Java's problem. C++ doesn't really qualify as an OOPL.

            • by sjames ( 1099 )

              That sounds more like a management/cultural issue. There isn't anything in OOP that either encourages or discourages looking past the API of the layer you are interacting with.

              You can just as easily just assume the functions you are calling do what they say they do correctly with procedural or functional programming styles.

              • > You can just as easily just assume the functions you are calling do what they say

                That is _precisely_ the problem, I've been running into the approach since "object oriented" programming became popular, the developers and programmers are taught, sometimes even forcefully, not to look past the nearet level of abstraction.

                • by sjames ( 1099 )

                  But that's not an OOP problem. It happens for functional and procedural programming as well.

          • by Canberra1 ( 3475749 ) on Thursday October 15, 2020 @06:26AM (#60609334)
            Uninitialized variables is taught in first semester CS, or you don't pass. People who call other peoples code usually just copy an example somewhere, because railway diagrams are forgotten. I wonder if they were fetching an 'old' include for stack variables. IF every new strucure has a unique revision stamp, then it would be possible to scan code before it goes out of the door. In DB2 parlance, there should be no -805's, ever, if people are trained.
          • by tlhIngan ( 30335 )

            The BT code in question is written in C (not object oriented) and the bug is due unitialized stack variables and making a callback without checking if a handler has been set. The main reason we are seeing bugs like this pop up again and again is that we are still relying on code written in languages that do not protect against these type of bugs.

            And every compiler has an uninitialized variable warning in it in C. Usually along the lines of "variable might be used uninitialized here". Granted, that's all the

    • by AmiMoJo ( 196126 )

      We don't have enough detail to make our own risk assessment so can only take Google and Intel's word for it. From what they have released it sounds severe. A remote attacker within Bluetooth range (hundreds of meters with a decent antenna, more with the right equipment) has remote code execution and privilege escalation capability.

  • couldn't they just... uh... fix it?

    I get why these security advisories exist for other OS's, since they can't just be downloaded and patched.

    But this is Linux's reason for existing.

    • by dargaud ( 518470 )
      Yes, but you'll always have older versions in the wild, particularly on IOT devices which hardly ever receive updates.
  • It's a good thing we haven't recently been asking people to continuously enable Bluetooth on their phones to enable contact tracing...

Life is a whim of several billion cells to be you for a while.

Working...