Vulnerabilities > CVE-2008-2374 - Improper Validation of Specified Quantity in Input vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 | |
OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-145.NASL description An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used in the Bluez bluetooth utilities. A bluetooth device with an already-trusted relationship, or a local user registering a service record via a UNIX socket or D-Bus interface, could cause a crash and potentially execute arbitrary code with the privileges of the hcid daemon (CVE-2008-2374). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 37587 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37587 title Mandriva Linux Security Advisory : bluez (MDVSA-2008:145) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:145. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(37587); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2008-2374"); script_bugtraq_id(30105); script_xref(name:"MDVSA", value:"2008:145"); script_name(english:"Mandriva Linux Security Advisory : bluez (MDVSA-2008:145)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used in the Bluez bluetooth utilities. A bluetooth device with an already-trusted relationship, or a local user registering a service record via a UNIX socket or D-Bus interface, could cause a crash and potentially execute arbitrary code with the privileges of the hcid daemon (CVE-2008-2374). The updated packages have been patched to correct this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bluez-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bluez-utils-alsa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bluez-utils-cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bluez-utils-gstreamer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64bluez-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64bluez2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64bluez2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libbluez-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libbluez2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libbluez2-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.1", reference:"bluez-utils-3.9-5.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"bluez-utils-cups-3.9-5.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64bluez2-3.9-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64bluez2-devel-3.9-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libbluez2-3.9-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libbluez2-devel-3.9-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"bluez-utils-3.15-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"bluez-utils-cups-3.15-3.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64bluez-devel-3.15-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64bluez2-3.15-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libbluez-devel-3.15-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libbluez2-3.15-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"bluez-utils-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"bluez-utils-alsa-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"bluez-utils-cups-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"bluez-utils-gstreamer-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64bluez-devel-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64bluez2-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libbluez-devel-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libbluez2-3.28-1.1mdv2008.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0581.NASL description Updated bluez-libs and bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The bluez-libs package contains libraries for use in Bluetooth applications. The bluez-utils package contains Bluetooth daemons and utilities. An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX(r) socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. (CVE-2008-2374) Users of bluez-libs and bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 33497 published 2008-07-15 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33497 title RHEL 4 / 5 : bluez-libs and bluez-utils (RHSA-2008:0581) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0581. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(33497); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:13"); script_cve_id("CVE-2008-2374"); script_bugtraq_id(30105); script_xref(name:"RHSA", value:"2008:0581"); script_name(english:"RHEL 4 / 5 : bluez-libs and bluez-utils (RHSA-2008:0581)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated bluez-libs and bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The bluez-libs package contains libraries for use in Bluetooth applications. The bluez-utils package contains Bluetooth daemons and utilities. An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX(r) socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. (CVE-2008-2374) Users of bluez-libs and bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-2374" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2008:0581" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-libs-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-utils-cups"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/07"); script_set_attribute(attribute:"patch_publication_date", value:"2008/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2008:0581"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", cpu:"i386", reference:"bluez-libs-2.10-3")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"bluez-libs-2.10-3")) flag++; if (rpm_check(release:"RHEL4", cpu:"i386", reference:"bluez-libs-devel-2.10-3")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"bluez-libs-devel-2.10-3")) flag++; if (rpm_check(release:"RHEL4", cpu:"i386", reference:"bluez-utils-2.10-2.4")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"bluez-utils-2.10-2.4")) flag++; if (rpm_check(release:"RHEL4", cpu:"i386", reference:"bluez-utils-cups-2.10-2.4")) flag++; if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"bluez-utils-cups-2.10-2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"bluez-libs-3.7-1.1")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"bluez-libs-3.7-1.1")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"bluez-libs-devel-3.7-1.1")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"bluez-libs-devel-3.7-1.1")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"bluez-utils-3.7-2.2")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"bluez-utils-3.7-2.2")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"bluez-utils-cups-3.7-2.2")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"bluez-utils-cups-3.7-2.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez-libs / bluez-libs-devel / bluez-utils / bluez-utils-cups"); } }
NASL family Fedora Local Security Checks NASL id FEDORA_2008-6133.NASL description The remote Fedora host is missing one or more security updates : bluez-utils-3.35-3.fc9 : - Thu Jul 10 2008 - Will Woods <wwoods at redhat.com> - 3.35-3 - Re-add hid2hci - Fri Jul 4 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-2 - Re-enable hidd - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 - Thu Jun 12 2008 - Bastien Nocera <bnocera at redhat.com> - 3.32-1 - Update to 3.32 bluez-libs-3.35-1.fc9 : - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 - Thu Jun 12 2008 - Bastien Nocera <bnocera at redhat.com> - 3.32-1 - Update to 3.32 - Fri Apr 18 2008 Peter Jones <pjones at redhat.com> - Make bluez-libs-devel own /usr/include/bluetooth/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 34124 published 2008-09-10 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34124 title Fedora 9 : bluez-libs-3.35-1.fc9 / bluez-utils-3.35-3.fc9 (2008-6133) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-6133. # include("compat.inc"); if (description) { script_id(34124); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:28"); script_cve_id("CVE-2008-2374"); script_bugtraq_id(30105); script_xref(name:"FEDORA", value:"2008-6133"); script_name(english:"Fedora 9 : bluez-libs-3.35-1.fc9 / bluez-utils-3.35-3.fc9 (2008-6133)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote Fedora host is missing one or more security updates : bluez-utils-3.35-3.fc9 : - Thu Jul 10 2008 - Will Woods <wwoods at redhat.com> - 3.35-3 - Re-add hid2hci - Fri Jul 4 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-2 - Re-enable hidd - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 - Thu Jun 12 2008 - Bastien Nocera <bnocera at redhat.com> - 3.32-1 - Update to 3.32 bluez-libs-3.35-1.fc9 : - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 - Thu Jun 12 2008 - Bastien Nocera <bnocera at redhat.com> - 3.32-1 - Update to 3.32 - Fri Apr 18 2008 Peter Jones <pjones at redhat.com> - Make bluez-libs-devel own /usr/include/bluetooth/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=452715" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-September/013764.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ac832c0a" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-September/013765.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?62f0b15d" ); script_set_attribute( attribute:"solution", value:"Update the affected bluez-libs and / or bluez-utils packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bluez-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bluez-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"bluez-libs-3.35-1.fc9")) flag++; if (rpm_check(release:"FC9", reference:"bluez-utils-3.35-3.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez-libs / bluez-utils"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2008-6140.NASL description The remote Fedora host is missing one or more security updates : bluez-utils-3.35-3.fc8 : - Thu Jul 10 2008 - Will Woods <wwoods at redhat.com> - 3.35-3 - Re-add hid2hci - Fri Jul 4 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-2 - Re-add hidd - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 - Wed Mar 26 2008 - Bastien Nocera <bnocera at redhat.com> - 3.20-7 - Add patch to avoid a kernel oops when switching from HID to HCI mode (#228755) - Fri Jan 25 2008 - Bastien Nocera <bnocera at redhat.com> - 3.20-6 - Avoid dund and pand starting too early (#429489) - Fri Jan 25 2008 - Bastien Nocera <bnocera at redhat.com> - 3.20-5 - Fix hcid trying to find the OUI file somewhere in /var (#428803) bluez-libs-3.35-1.fc8 : - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 34421 published 2008-10-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34421 title Fedora 8 : bluez-libs-3.35-1.fc8 / bluez-utils-3.35-3.fc8 (2008-6140) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-6140. # include("compat.inc"); if (description) { script_id(34421); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:28"); script_cve_id("CVE-2008-2374"); script_bugtraq_id(30105); script_xref(name:"FEDORA", value:"2008-6140"); script_name(english:"Fedora 8 : bluez-libs-3.35-1.fc8 / bluez-utils-3.35-3.fc8 (2008-6140)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote Fedora host is missing one or more security updates : bluez-utils-3.35-3.fc8 : - Thu Jul 10 2008 - Will Woods <wwoods at redhat.com> - 3.35-3 - Re-add hid2hci - Fri Jul 4 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-2 - Re-add hidd - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 - Wed Mar 26 2008 - Bastien Nocera <bnocera at redhat.com> - 3.20-7 - Add patch to avoid a kernel oops when switching from HID to HCI mode (#228755) - Fri Jan 25 2008 - Bastien Nocera <bnocera at redhat.com> - 3.20-6 - Avoid dund and pand starting too early (#429489) - Fri Jan 25 2008 - Bastien Nocera <bnocera at redhat.com> - 3.20-5 - Fix hcid trying to find the OUI file somewhere in /var (#428803) bluez-libs-3.35-1.fc8 : - Thu Jul 3 2008 - Bastien Nocera <bnocera at redhat.com> - 3.35-1 - Update to 3.35 - Fri Jun 27 2008 - Bastien Nocera <bnocera at redhat.com> - 3.34-1 - Update to 3.34 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=452715" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-October/015336.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?62f1315e" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-October/015337.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3177f5b5" ); script_set_attribute( attribute:"solution", value:"Update the affected bluez-libs and / or bluez-utils packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bluez-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bluez-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8"); script_set_attribute(attribute:"patch_publication_date", value:"2008/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC8", reference:"bluez-libs-3.35-1.fc8")) flag++; if (rpm_check(release:"FC8", reference:"bluez-utils-3.35-3.fc8")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez-libs / bluez-utils"); }
NASL family SuSE Local Security Checks NASL id SUSE_BLUEZ-AUDIO-5441.NASL description Missing length checks in bluez-libs could cause a buffer overflow in Bluetooth applications. Malicious bluetooth devices could potentially exploit that to execute arbitrary code (CVE-2008-2374). Note: The source code of each application that uses vulnerable functions of bluez-libs needs to be adapted to actually fix the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 34289 published 2008-09-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34289 title openSUSE 10 Security Update : bluez-audio (bluez-audio-5441) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0581.NASL description From Red Hat Security Advisory 2008:0581 : Updated bluez-libs and bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The bluez-libs package contains libraries for use in Bluetooth applications. The bluez-utils package contains Bluetooth daemons and utilities. An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX(r) socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. (CVE-2008-2374) Users of bluez-libs and bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67723 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67723 title Oracle Linux 4 / 5 : bluez-libs / bluez-utils (ELSA-2008-0581) NASL family SuSE Local Security Checks NASL id SUSE_BLUEZ-CUPS-5437.NASL description Missing length checks in bluez-libs could cause a buffer overflow in Bluetooth applications. Malicious bluetooth devices could potentially exploit that to execute arbitrary code. (CVE-2008-2374) Note: The source code of each application that uses vulnerable functions of bluez-libs needs to be adapted to actually fix the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 34276 published 2008-09-24 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34276 title SuSE 10 Security Update : Bluetooth utilities (ZYPP Patch Number 5437) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0581.NASL description Updated bluez-libs and bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The bluez-libs package contains libraries for use in Bluetooth applications. The bluez-utils package contains Bluetooth daemons and utilities. An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX(r) socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. (CVE-2008-2374) Users of bluez-libs and bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 43698 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43698 title CentOS 4 / 5 : bluez-libs / bluez-utils (CESA-2008:0581) NASL family Scientific Linux Local Security Checks NASL id SL_20080714_BLUEZ_LIBS_AND_BLUEZ_UTILS_ON_SL4_X.NASL description An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX® socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. (CVE-2008-2374) last seen 2020-06-01 modified 2020-06-02 plugin id 60439 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60439 title Scientific Linux Security Update : bluez-libs and bluez-utils on SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_11_0_BLUEZ-AUDIO-080716.NASL description Missing length checks in bluez-libs could cause a buffer overflow in Bluetooth applications. Malicious bluetooth devices could potentially exploit that to execute arbitrary code (CVE-2008-2374). Note: The source code of each application that uses vulnerable functions of bluez-libs needs to be adapted to actually fix the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 39922 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39922 title openSUSE Security Update : bluez-audio (bluez-audio-100) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200903-29.NASL description The remote host is affected by the vulnerability described in GLSA-200903-29 (BlueZ: Arbitrary code execution) It has been reported that the Bluetooth packet parser does not validate string length fields in SDP packets. Impact : A physically proximate attacker using a Bluetooth device with an already established trust relationship could send specially crafted requests, possibly leading to arbitrary code execution or a crash. Exploitation may also be triggered by a local attacker registering a service record via a UNIX socket or D-Bus interface. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 35942 published 2009-03-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35942 title GLSA-200903-29 : BlueZ: Arbitrary code execution
Oval
accepted | 2013-04-29T04:23:48.149-04:00 | ||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||
description | src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read. | ||||||||||||||||||||||||
family | unix | ||||||||||||||||||||||||
id | oval:org.mitre.oval:def:9973 | ||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
title | src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read. | ||||||||||||||||||||||||
version | 27 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 30105 CVE(CAN) ID: CVE-2008-2374 BlueZ是官方的Linux蓝牙协议栈。 BlueZ的SDP解析代码盲目地信任了入站SDP报文中的字符串长度字段,如果远程攻击者向SDP查询发送了恶意响应的话,就可以触发缓冲区溢出,导致拒绝服务或执行任意代码。 以下是bluez-libs-3.30/src/sdp.c文件中的漏洞代码段: 972 static sdp_data_t *extract_str(const void *p, int *len) 973 { 974 char *s; 975 int n; 976 sdp_data_t *d = malloc(sizeof(sdp_data_t)); 977 978 memset(d, 0, sizeof(sdp_data_t)); 979 d->dtd = *(uint8_t *) p; 980 p += sizeof(uint8_t); 981 *len += sizeof(uint8_t); 982 983 switch (d->dtd) { 984 case SDP_TEXT_STR8: 985 case SDP_URL_STR8: 986 n = *(uint8_t *) p; // <-- from the incoming packet 987 p += sizeof(uint8_t); 988 *len += sizeof(uint8_t) + n; // <-- blindly trusted here, may advance parser past end of packet 989 break; 990 case SDP_TEXT_STR16: 991 case SDP_URL_STR16: 992 n = ntohs(bt_get_unaligned((uint16_t *) p)); // <-- from the incoming packet 993 p += sizeof(uint16_t); 994 *len += sizeof(uint16_t) + n; // <-- blindly trusted here, may advance parser past end of packet 995 break; 996 default: 997 SDPERR("Sizeof text string > UINT16_MAX\n"); 998 free(d); 999 return 0; 1000 } 1001 1002 s = malloc(n + 1); // <-- really blindly trusted here, also no NULL checking 1003 memset(s, 0, n + 1); 1004 memcpy(s, p, n); 1005 1006 SDPDBG("Len : %d\n", n); 1007 SDPDBG("Str : %s\n", s); 1008 1009 d->val.str = s; 1010 d->unitSize = n + sizeof(uint8_t); // <-- more blind trust 1011 return d; 1012 } 漏洞的起因在1125行,sdp_extract_pdu()函数没有对长度字段执行正确的检查,导致了上述漏洞。 BlueZ 3.34 BlueZ ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.bluez.org/ target=_blank>http://www.bluez.org/</a> |
id | SSV:3575 |
last seen | 2017-11-19 |
modified | 2008-07-09 |
published | 2008-07-09 |
reporter | Root |
title | BlueZ SDP负载处理多个缓冲区溢出漏洞 |
References
- http://sourceforge.net/mailarchive/message.php?msg_name=b32d44000806161327u680c290au54fd21f2fef1d58e%40mail.gmail.com
- http://www.bluez.org/bluez-334/
- http://secunia.com/advisories/30957
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:145
- http://www.securityfocus.com/bid/30105
- http://secunia.com/advisories/31057
- http://www.redhat.com/support/errata/RHSA-2008-0581.html
- http://secunia.com/advisories/31833
- https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00233.html
- https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00396.html
- http://secunia.com/advisories/32279
- http://secunia.com/advisories/32099
- http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html
- http://secunia.com/advisories/34280
- http://security.gentoo.org/glsa/glsa-200903-29.xml
- http://www.vupen.com/english/advisories/2008/2096/references
- http://www.securitytracker.com/id?1020479
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9973