Vulnerabilities > CVE-2020-0556 - Improper Privilege Management vulnerability in multiple products

047910
CVSS 5.8 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access

Vulnerable Configurations

Part Description Count
Application
Bluez
157
OS
Canonical
3
OS
Debian
2
OS
Opensuse
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2240.NASL
    descriptionIt was reported that the BlueZ
    last seen2020-06-13
    modified2020-06-10
    plugin id137282
    published2020-06-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137282
    titleDebian DLA-2240-1 : bluez security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-2240-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137282);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2020-0556");
    
      script_name(english:"Debian DLA-2240-1 : bluez security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "It was reported that the BlueZ's HID and HOGP profile implementations
    don't specifically require bonding between the device and the host.
    Malicious devices can take advantage of this flaw to connect to a
    target host and impersonate an existing HID device without security or
    to cause an SDP or GATT service discovery to take place which would
    allow HID reports to be injected to the input subsystem from a
    non-bonded source.
    
    For the HID profile an new configuration option (ClassicBondedOnly) is
    introduced to make sure that input connections only come from bonded
    device connections. The options defaults to 'false' to maximize device
    compatibility.
    
    Note that as a result of the significant changes between the previous
    version in Jessie (based on upstream release 5.23) and the available
    patches to address this vulnerability, it was decided that a backport
    of the bluez package from Debian 9 'Stretch' was the only viable way
    to address the referenced vulnerability.
    
    For Debian 8 'Jessie', this problem has been fixed in version
    5.43-2+deb9u2~deb8u1.
    
    We recommend that you upgrade your bluez packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2020/06/msg00008.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/bluez"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluetooth");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluez");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluez-cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluez-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluez-hcidump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluez-obexd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluez-test-scripts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libbluetooth-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libbluetooth3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libbluetooth3-dbg");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"bluetooth", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"bluez", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"bluez-cups", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"bluez-dbg", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"bluez-hcidump", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"bluez-obexd", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"bluez-test-scripts", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libbluetooth-dev", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libbluetooth3", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libbluetooth3-dbg", reference:"5.43-2+deb9u2~deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4311-1.NASL
    descriptionIt was discovered that BlueZ incorrectly handled bonding HID and HOGP devices. A local attacker could possibly use this issue to impersonate non-bonded devices. (CVE-2020-0556) It was discovered that BlueZ incorrectly handled certain commands. A local attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7837). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-03-31
    plugin id135027
    published2020-03-31
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135027
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : bluez vulnerabilities (USN-4311-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4311-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135027);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/28");
    
      script_cve_id("CVE-2016-7837", "CVE-2020-0556");
      script_xref(name:"USN", value:"4311-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : bluez vulnerabilities (USN-4311-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that BlueZ incorrectly handled bonding HID and HOGP
    devices. A local attacker could possibly use this issue to impersonate
    non-bonded devices. (CVE-2020-0556)
    
    It was discovered that BlueZ incorrectly handled certain commands. A
    local attacker could use this issue to cause BlueZ to crash, resulting
    in a denial of service, or possibly execute arbitrary code. This issue
    only affected Ubuntu 16.04 LTS. (CVE-2016-7837).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4311-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected bluez and / or libbluetooth3 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0556");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:bluez");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libbluetooth3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"bluez", pkgver:"5.37-0ubuntu5.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libbluetooth3", pkgver:"5.37-0ubuntu5.3")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"bluez", pkgver:"5.48-0ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"libbluetooth3", pkgver:"5.48-0ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"bluez", pkgver:"5.50-0ubuntu5.1")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"libbluetooth3", pkgver:"5.50-0ubuntu5.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez / libbluetooth3");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4647.NASL
    descriptionIt was reported that the BlueZ
    last seen2020-04-30
    modified2020-03-30
    plugin id134984
    published2020-03-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134984
    titleDebian DSA-4647-1 : bluez - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4647. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134984);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/28");
    
      script_cve_id("CVE-2020-0556");
      script_xref(name:"DSA", value:"4647");
    
      script_name(english:"Debian DSA-4647-1 : bluez - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was reported that the BlueZ's HID and HOGP profile implementations
    don't specifically require bonding between the device and the host.
    Malicious devices can take advantage of this flaw to connect to a
    target host and impersonate an existing HID device without security or
    to cause an SDP or GATT service discovery to take place which would
    allow HID reports to be injected to the input subsystem from a
    non-bonded source.
    
    For the HID profile an new configuration option (ClassicBondedOnly) is
    introduced to make sure that input connections only come from bonded
    device connections. The options defaults to 'false' to maximize device
    compatibility."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953770"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/bluez"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/bluez"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/buster/bluez"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2020/dsa-4647"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the bluez packages.
    
    For the oldstable distribution (stretch), this problem has been fixed
    in version 5.43-2+deb9u2.
    
    For the stable distribution (buster), this problem has been fixed in
    version 5.50-1.2~deb10u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0556");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bluez");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"10.0", prefix:"bluetooth", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"bluez", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"bluez-cups", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"bluez-hcidump", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"bluez-obexd", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"bluez-test-scripts", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"bluez-test-tools", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"libbluetooth-dev", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"libbluetooth3", reference:"5.50-1.2~deb10u1")) flag++;
    if (deb_check(release:"9.0", prefix:"bluetooth", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"bluez", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"bluez-cups", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"bluez-dbg", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"bluez-hcidump", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"bluez-obexd", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"bluez-test-scripts", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"bluez-test-tools", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libbluetooth-dev", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libbluetooth3", reference:"5.43-2+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libbluetooth3-dbg", reference:"5.43-2+deb9u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1594.NASL
    descriptionAccording to the version of the bluez packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access(CVE-2020-0556) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-06
    modified2020-06-02
    plugin id137012
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137012
    titleEulerOS 2.0 SP5 : bluez (EulerOS-SA-2020-1594)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137012);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/05");
    
      script_cve_id(
        "CVE-2020-0556"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : bluez (EulerOS-SA-2020-1594)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the bluez packages installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerability :
    
      - Improper access control in subsystem for BlueZ before
        version 5.54 may allow an unauthenticated user to
        potentially enable escalation of privilege and denial
        of service via adjacent access(CVE-2020-0556)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1594
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2a856e7d");
      script_set_attribute(attribute:"solution", value:
    "Update the affected bluez package.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bluez");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bluez-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["bluez-5.44-4.h1.eulerosv2r7",
            "bluez-libs-5.44-4.h1.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202003-49.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202003-49 (BlueZ: Security bypass) It was discovered that the HID and HOGP profiles implementations in BlueZ did not specifically require bonding between the device and the host. Impact : A remote attacker with adjacent access could impersonate an existing HID device, cause a Denial of Service condition or escalate privileges. Workaround : There is no known workaround at this time.
    last seen2020-04-30
    modified2020-03-26
    plugin id134924
    published2020-03-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134924
    titleGLSA-202003-49 : BlueZ: Security bypass
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 202003-49.
    #
    # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134924);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/28");
    
      script_cve_id("CVE-2020-0556");
      script_xref(name:"GLSA", value:"202003-49");
    
      script_name(english:"GLSA-202003-49 : BlueZ: Security bypass");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-202003-49
    (BlueZ: Security bypass)
    
        It was discovered that the HID and HOGP profiles implementations in
          BlueZ did not specifically require bonding between the device and the
          host.
      
    Impact :
    
        A remote attacker with adjacent access could impersonate an existing HID
          device, cause a Denial of Service condition or escalate privileges.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/202003-49"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All BlueZ users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-wireless/bluez-5.54'"
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0556");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:bluez");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-wireless/bluez", unaffected:make_list("ge 5.54"), vulnerable:make_list("lt 5.54"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "BlueZ");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0918-1.NASL
    descriptionThis update for bluez fixes the following issues : CVE-2020-0556: Fixed an improper access control which could have allowed an unauthenticated user to potentially enable escalation of privilege and denial of service (bsc#1166751). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-06
    plugin id135226
    published2020-04-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135226
    titleSUSE SLED15 / SLES15 Security Update : bluez (SUSE-SU-2020:0918-1)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0073_BLUEZ.NASL
    descriptionAn update of the bluez package has been released.
    last seen2020-04-30
    modified2020-04-12
    plugin id135402
    published2020-04-12
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135402
    titlePhoton OS 3.0: Bluez PHSA-2020-3.0-0073
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-479.NASL
    descriptionThis update for bluez fixes the following issues : - CVE-2020-0556: Fixed an improper access control which could have allowed an unauthenticated user to potentially enable escalation of privilege and denial of service (bsc#1166751). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-04-30
    modified2020-04-10
    plugin id135383
    published2020-04-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135383
    titleopenSUSE Security Update : bluez (openSUSE-2020-479)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1539.NASL
    descriptionAccording to the version of the bluez package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access(CVE-2020-0556) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2020-05-01
    plugin id136242
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136242
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : bluez (EulerOS-SA-2020-1539)