Vulnerabilities > CVE-2017-1000250 - Information Exposure vulnerability in Bluez

047910
CVSS 6.5 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
low complexity
bluez
CWE-200
nessus

Summary

All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.

Vulnerable Configurations

Part Description Count
Application
Bluez
150

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0117_BLUEZ.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has bluez packages installed that are affected by a vulnerability: - An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127358
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127358
    titleNewStart CGSL MAIN 4.05 : bluez Vulnerability (NS-SA-2019-0117)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0117. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127358);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id("CVE-2017-1000250");
    
      script_name(english:"NewStart CGSL MAIN 4.05 : bluez Vulnerability (NS-SA-2019-0117)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by a vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version MAIN 4.05, has bluez packages installed that are affected by a
    vulnerability:
    
      - An information-disclosure flaw was found in the
        bluetoothd implementation of the Service Discovery
        Protocol (SDP). A specially crafted Bluetooth device
        could, without prior pairing or user interaction,
        retrieve portions of the bluetoothd process memory,
        including potentially sensitive information such as
        Bluetooth encryption keys. (CVE-2017-1000250)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0117");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL bluez packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000250");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL MAIN 4.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL MAIN 4.05": [
        "bluez-4.66-2.el6_9",
        "bluez-libs-4.66-2.el6_9"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1176.NASL
    descriptionThis update for bluez fixes the following vulnerabilities : - CVE-2016-7837: Buffer overflow in parse_line function (bsc#1026652) - CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req (bsc#1057342)
    last seen2020-06-05
    modified2017-10-23
    plugin id104080
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104080
    titleopenSUSE Security Update : bluez (openSUSE-2017-1176) (BlueBorne)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2685.NASL
    descriptionAn update for bluez is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files. Security Fix(es) : * An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250) Red Hat would like to thank Armis Labs for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103172
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103172
    titleRHEL 6 / 7 : bluez (RHSA-2017:2685) (BlueBorne)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-FE95A5B88B.NASL
    descriptionSecurity fix for CVE-2017-1000250 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-09-14
    plugin id103202
    published2017-09-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103202
    titleFedora 26 : bluez (2017-fe95a5b88b) (BlueBorne)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0510-1.NASL
    descriptionThis update for bluez fixes the following issues : Security issues fixed : CVE-2016-7837: Fixed possible buffer overflow, make sure we don
    last seen2020-06-01
    modified2020-06-02
    plugin id122530
    published2019-03-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122530
    titleSUSE SLES12 Security Update : bluez (SUSE-SU-2019:0510-1) (BlueBorne)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2685.NASL
    descriptionFrom Red Hat Security Advisory 2017:2685 : An update for bluez is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files. Security Fix(es) : * An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250) Red Hat would like to thank Armis Labs for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103166
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103166
    titleOracle Linux 6 / 7 : bluez (ELSA-2017-2685) (BlueBorne)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1378.NASL
    descriptionAccording to the version of the bluez package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys.(CVE-2017-1000250) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124881
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124881
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : bluez (EulerOS-SA-2019-1378)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3413-1.NASL
    descriptionIt was discovered that an information disclosure vulnerability existed in the Service Discovery Protocol (SDP) implementation in BlueZ. A physically proximate unauthenticated attacker could use this to disclose sensitive information. (CVE-2017-1000250). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103187
    published2017-09-13
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103187
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : bluez vulnerability (USN-3413-1) (BlueBorne)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170912_BLUEZ_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)
    last seen2020-03-18
    modified2017-09-13
    plugin id103173
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103173
    titleScientific Linux Security Update : bluez on SL6.x, SL7.x i386/x86_64 (20170912) (BlueBorne)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2685.NASL
    descriptionAn update for bluez is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files. Security Fix(es) : * An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250) Red Hat would like to thank Armis Labs for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103145
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103145
    titleCentOS 6 / 7 : bluez (CESA-2017:2685) (BlueBorne)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-2685.NASL
    descriptionAn update for bluez is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files. Security Fix(es) : * An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250) Red Hat would like to thank Armis Labs for reporting this issue. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119224
    published2018-11-27
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119224
    titleVirtuozzo 6 : bluez / bluez-alsa / bluez-compat / bluez-cups / etc (VZLSA-2017-2685)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1778-1.NASL
    descriptionThis update for bluez fixes the following issues: Security issues fixed : - CVE-2016-9800: Fix hcidump memory leak in pin_code_reply_dump() (bsc#1013721). - CVE-2016-9804: Fix hcidump buffer overflow in commands_dump() (bsc#1013877). - CVE-2016-7837: Fix possible buffer overflow, make sure we don
    last seen2020-06-01
    modified2020-06-02
    plugin id110661
    published2018-06-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110661
    titleSUSE SLED12 / SLES12 Security Update : bluez (SUSE-SU-2018:1778-1) (BlueBorne)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3972.NASL
    descriptionAn information disclosure vulnerability was discovered in the Service Discovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to obtain sensitive information from bluetoothd process memory, including Bluetooth encryption keys.
    last seen2020-06-01
    modified2020-06-02
    plugin id103198
    published2017-09-14
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103198
    titleDebian DSA-3972-1 : bluez - security update (BlueBorne)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-258-01.NASL
    descriptionNew bluez packages are available for Slackware 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103255
    published2017-09-18
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103255
    titleSlackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bluez (SSA:2017-258-01) (BlueBorne)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-77F991E537.NASL
    descriptionSecurity fix for CVE-2017-1000250 ---- - This update adds support for cable pairing for PlayStation 3 and 4 controllers. - Add scripts to automatically btattach serial-port / uart connected Broadcom HCIs found on some Atom based x86 hardware Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105904
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105904
    titleFedora 27 : bluez (2017-77f991e537) (BlueBorne)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1103.NASL
    descriptionThe SDP server in BlueZ is vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. For Debian 7
    last seen2020-03-17
    modified2017-09-22
    plugin id103390
    published2017-09-22
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103390
    titleDebian DLA-1103-1 : bluez security update (BlueBorne)

Redhat

advisories
bugzilla
id1489446
titleCVE-2017-1000250 bluez: Out-of-bounds heap read in service_search_attr_req function
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentbluez-gstreamer is earlier than 0:4.66-2.el6_9
          ovaloval:com.redhat.rhsa:tst:20172685001
        • commentbluez-gstreamer is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685002
      • AND
        • commentbluez-compat is earlier than 0:4.66-2.el6_9
          ovaloval:com.redhat.rhsa:tst:20172685003
        • commentbluez-compat is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685004
      • AND
        • commentbluez-cups is earlier than 0:4.66-2.el6_9
          ovaloval:com.redhat.rhsa:tst:20172685005
        • commentbluez-cups is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685006
      • AND
        • commentbluez-libs-devel is earlier than 0:4.66-2.el6_9
          ovaloval:com.redhat.rhsa:tst:20172685007
        • commentbluez-libs-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685008
      • AND
        • commentbluez-alsa is earlier than 0:4.66-2.el6_9
          ovaloval:com.redhat.rhsa:tst:20172685009
        • commentbluez-alsa is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685010
      • AND
        • commentbluez is earlier than 0:4.66-2.el6_9
          ovaloval:com.redhat.rhsa:tst:20172685011
        • commentbluez is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685012
      • AND
        • commentbluez-libs is earlier than 0:4.66-2.el6_9
          ovaloval:com.redhat.rhsa:tst:20172685013
        • commentbluez-libs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685014
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentbluez-cups is earlier than 0:5.44-4.el7_4
          ovaloval:com.redhat.rhsa:tst:20172685016
        • commentbluez-cups is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685006
      • AND
        • commentbluez-hid2hci is earlier than 0:5.44-4.el7_4
          ovaloval:com.redhat.rhsa:tst:20172685017
        • commentbluez-hid2hci is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685018
      • AND
        • commentbluez-libs-devel is earlier than 0:5.44-4.el7_4
          ovaloval:com.redhat.rhsa:tst:20172685019
        • commentbluez-libs-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685008
      • AND
        • commentbluez is earlier than 0:5.44-4.el7_4
          ovaloval:com.redhat.rhsa:tst:20172685020
        • commentbluez is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685012
      • AND
        • commentbluez-libs is earlier than 0:5.44-4.el7_4
          ovaloval:com.redhat.rhsa:tst:20172685021
        • commentbluez-libs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172685014
rhsa
idRHSA-2017:2685
released2017-09-12
severityModerate
titleRHSA-2017:2685: bluez security update (Moderate)
rpms
  • bluez-0:4.66-2.el6_9
  • bluez-0:5.44-4.el7_4
  • bluez-alsa-0:4.66-2.el6_9
  • bluez-compat-0:4.66-2.el6_9
  • bluez-cups-0:4.66-2.el6_9
  • bluez-cups-0:5.44-4.el7_4
  • bluez-debuginfo-0:4.66-2.el6_9
  • bluez-debuginfo-0:5.44-4.el7_4
  • bluez-gstreamer-0:4.66-2.el6_9
  • bluez-hid2hci-0:5.44-4.el7_4
  • bluez-libs-0:4.66-2.el6_9
  • bluez-libs-0:5.44-4.el7_4
  • bluez-libs-devel-0:4.66-2.el6_9
  • bluez-libs-devel-0:5.44-4.el7_4

Seebug

bulletinFamilyexploit
description### General Overview Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released. Here is a quick overview of how BlueBorne works: https://youtu.be/LLNtZKpL0P8 #### Blueborne Brief Overview What Is BlueBorne? BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks. Additional Information: Download our Technical White Paper on BlueBorne ### What Is The Risk? The BlueBorne attack vector has several qualities which can have a devastating effect when combined. By spreading through the air, BlueBorne targets the weakest spot in the networks’ defense – and the only one that no security measure protects. Spreading from device to device through the air also makes BlueBorne highly infectious. Moreover, since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device. Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet. The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure “air-gapped” networks which are disconnected from any other network, including the internet. ### How Wide Is The Threat? #### The threat posed by the BlueBorne attack vector The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today. Bluetooth is the leading and most widespread protocol for short-range communications, and is used by devices of all kinds, from regular computers and mobile devices to IoT devices such as TVs, watches, cars, and even medical appliances. The latest published reports show more than 2 billion Android, 2 billion Windows, and 1 billion Apple devices in use. Gartner reports that there are 8 billions connected or IoT devices in the world today, many of which have Bluetooth. ### What Is New About BlueBorne? #### A new airborne attack vector BlueBorne concerns us because of the medium by which it operates. Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus. The vulnerabilities found in Wi-Fi chips affect only the peripherals of the device, and require another step to take control of the device. With BlueBorne, b attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities. Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are “air gapped,” meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure. Finally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack #### A comprehensive and severe threat The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active. Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected. #### Next generation Bluetooth vulnerabilities In the past, most Bluetooth vulnerabilities and security flaws originated in issues with the protocol itself, which were resolved in version 2.1 in 2007. Nearly all vulnerabilities found since were of low severity, and did not allow remote code execution. This transition occurred as the research community turned its eyes elsewhere, and did not scrutinize the implementations of the Bluetooth protocol in the different platforms, as it did with other major protocols. Bluetooth is a difficult protocol to implement, which makes it prone to two kinds of vulnerabilities. On the one hand, vendors are likely to follow the protocol’s implementation guidelines word-for-word, which means that when a vulnerability is found in one platform it might affect others. These mirrored vulnerabilities happened with CVE-2017-8628 and CVE-2017-0783 (Windows & Android MiTM) which are “identical twins”. On the other hand, in some areas the Bluetooth specifications leave too much room for interpretation, causing fragmented methods of implementation in the various platforms, making each of them more likely to contain a vulnerability of its own. This is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years. We are concerned that the vulnerabilities we found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities. #### A Coordinated Disclosure Armis reached out to the following actors to ensure a safe, secure, and coordinated response to the vulnerabilities identified. Google – Contacted on April 19, 2017, after which details were shared. Released public security update and security bulletin on September 4th, 2017. Coordinated disclosure on September 12th, 2017. Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure. Apple – Contacted on August 9, 2017. Apple had no vulnerability in its current versions. Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach. Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure. ### Affected Devices #### The threat posed by the vulnerabilities Armis disclosed The vulnerabilities disclosed by Armis affect all devices running on Android, Linux, Windows, and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally. #### What Devices Are Affected? ##### Android All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783). Examples of impacted devices: * Google Pixel * Samsung Galaxy * Samsung Galaxy Tab * LG Watch Sport * Pumpkin Car Audio System Google has issued a patch and notified its partners. It will be available for: * Nougat (7.0) * Marshmallow (6.0) Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level, Note to Android users: To check if your device is risk or is the devices around you are at risk, download the Armis BlueBorne Scanner App on Google Play. ##### Windows All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628). Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12. We recommend that Windows users should check with the Microsoft release here for the latest information. ##### Linux Linux is the underlying operating system for a wide range of devices. The most commercial, and consumer-oriented platform based on Linux is the Tizen OS. * All Linux devices running BlueZ are affected by the information leak vulnerability (CVE-2017-1000250). * All Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (CVE-2017-1000251). Examples of impacted devices: * Samsung Gear S3 (Smartwatch) * Samsung Smart TVs * Samsung Family Hub (Smart refrigerator) Information on Linux updates will be provided as soon as they are live. ##### iOS All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available. If you are concerned that your device may not be patched, we recommend disabling Bluetooth, and minimizing its use until you can confirm a patch is issued and installed on your device. ### Technical Overview #### BlueBorne Explained: How The Attack Vector Works The BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to “discoverable” mode. Next, the attacker obtains the device’s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device’s communication, or take full control over the device and use it for a wide array of cybercriminal purposes. [Download our Technical White Paper on BlueBorne](http://go.armis.com/blueborne-technical-paper) #### BlueBorne attack on Android Once the attacker determined his target is using the Android operating system, he can use four of the vulnerabilities disclosed by Armis to exploit the device, or they can use a separate vulnerability to conduct a Man-in-The-Middle attack. Here is a quick demo of how BlueBorne can take control of an Android device: https://youtu.be/Az-l90RCns8 ##### Information Leak Vulnerability (CVE-2017-0785) The first vulnerability in the Android operating system reveals valuable information which helps the attacker leverage one of the remote code execution vulnerabilities described below. The vulnerability was found in the SDP (Service Discovery Protocol) server, which enables the device to identify other Bluetooth services around it. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. These pieces of information can later be used by the attacker to overcome advanced security measures and take control over the device. This vulnerability can also allow an attacker to leak encryption keys from the targeted device and eavesdrop on Bluetooth communications, in an attack that very much resembles heartbleed. ##### Remote Code Execution Vulnerability #1 (CVE-2017-0781) This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, a hacker can trigger a surgical memory corruption, which is easy to exploit and enables him to run code on the device, effectively granting him complete control. Due to lack of proper authorization validations, triggering this vulnerability does not require any user interaction, authentication or pairing, so the targeted user is completely unaware of an ongoing attack. ##### Remote Code Execution vulnerability #2 (CVE-2017-0782) This vulnerability is similar to the previous one, but resides in a higher level of the BNEP service – the Personal Area Networking (PAN) profile – which is responsible for establishing an IP based network connection between two devices. In this case, the memory corruption is larger, but can still be leveraged by an attacker to gain full control over the infected device. Similar to the previous vulnerability, this vulnerability can also be triggered without any user interaction, authentication or pairing. ##### The Bluetooth Pineapple – Man in The Middle attack (CVE-2017-0783) Man-in-The-Middle (MiTM) attacks allow the attacker to intercept and intervene in all data going to or from the targeted device. To create a MiTM attack using Wi-Fi, the attacker requires both special equipment, and a connection request from the targeted device to an open WiFi network. In Bluetooth, the attacker can actively engage his target, using any device with Bluetooth capabilities. The vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This attack does not require any user interaction, authentication or pairing, making it practically invisible. #### BlueBorne attack on Windows We have disclosed a vulnerability in Windows which allows an attacker to conduct a Man-in-The-Middle attack. Here is a quick demo of how BlueBorne can take create a MiTM attack: https://youtu.be/QrHbZPO9Rnc ##### The Bluetooth Pineapple #2 – Man in The Middle attack (CVE-2017-8628) This vulnerability is identical to the one found in the Android operating system, and affects both systems since they shared the same principals in implementing some of the Bluetooth protocol. The vulnerability resides in the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through it. This attack does not require any user interaction, authentication or pairing, making it also practically invisible. #### BlueBorne attack on Linux Armis has disclosed two vulnerabilities in the Linux operating system which allow attackers to take complete control over infected devices. The first is an information leak vulnerability, which can help the attacker determine the exact version used by the targeted device and adjust his exploit accordingly. The second is a stack overflow with can lead to full control of a device. Here is a quick demo of how BlueBorne can take over a Linux device: https://youtu.be/U7mWeKhd_-A ##### Information leak vulnerability (CVE-2017-1000250) Similar to the information leak vulnerability in Android, this vulnerability resides in the SDP server responsible for identifying other services using Bluetooth around the device. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. This can be used by an attacker to expose sensitive data from the Bluetooth processthat may also contain encryption keys of Bluetooth communications. These can be used by the attacker to initiate an attack that very much resembles heartbleed. ##### A stack overflow in BlueZ (CVE-2017-1000251) This vulnerability was found in the Bluetooth stack of the Linux Kernel, which is the very core of the operating system. An internal flaw in the L2CAP (Logical Link Control and Adaptation Protocol) that is used to connect between two devices causes a memory corruption. An attacker can use this memory corruption to gain full control of the device. #### BlueBorne attack on iOS This vulnerability found by Armis was disclosed to Apple. Since it was mitigated in iOS version 10 and Apple TV version above 7.2.2, a full exploit was not developed to demonstrate how this vulnerability can be leveraged for gaining full control of an iOS device. However, this vulnerability still poses great risk to any iOS device prior to version 10, as it is does not require any interaction from the users, or configuration of any sort on the targeted device. The vulnerability can be leveraged by an attacker to gain remote code execution in a high-privileged context (the Bluetooth process). ##### Remote code execution via Apple’s Low Energy Audio Protocol This vulnerability was found in a new protocol Apple has invented, which operates on top of Bluetooth, called LEAP (Low energy audio protocol). The protocol is designed to stream audio to low energy audio peripherals (such as low energy headsets, or the Siri Remote). This enables devices that only have Bluetooth Low Energy to stream audio and send audio commands. Due to a flaw in the implementation of LEAP, a large audio command can be sent to a targeted device and lead to a memory corruption. Since the audio commands sent via LEAP are not properly validated, an attacker can use the memory corruption to gain full control of the device. ### Securing against BlueBorne Vulnerabilities that can spread over the air and between devices pose a tremendous threat to any organization or individual. Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections. New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited. This is the primary mission of Armis in this new connected age.
idSSV:96467
last seen2017-11-19
modified2017-09-13
published2017-09-13
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-96467
titleThe IoT Attack Vector “BlueBorne” Exposes Almost Every Connected Device (BlueBorne)

The Hacker News