Bluetooth flaws: Reported issues

The vulnerabilities in the Linux Bluetooth software stack provide the facilities for the attacker to execute a random code with kernel privileges on the device. BleedingTooth, the three flaws present in the open-source BlueZ protocol stack, says Andy Nguyen, the security engineer. This protocol supports many of the core layers (Bluetooth) and Linux based systems.

First Flaw - The most severe heap-based type confusion (CVE-2020-12351, CVSS score 8.3) affecting Linux kernel 4.8 and higher, which is in the Logical Link Control and Adaptation Protocol (L2CAP) of the Bluetooth standard. Data multiplexing between higher protocols are made possible by these.

Google noted in its advisory that "A remote attacker in short distance knowing the victim's [Bluetooth device] address can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges". "Malicious Bluetooth chips can trigger the vulnerability as well."

In 2016, a change was introduced in the "l2cap_core.c" module to respond to the vulnerabilities.

Alerts characterize CVE-2020-12351, a privilege escalation Flaw, issued by Intel as a part of their BlueZ project.

2. Second Flaw - (CVE-2020-12352) is related to information disclosure(stack-based) affecting Linux kernel 3.6 and higher.

As a repercussion from the change made to the core Alternate MAC-PHY Manager Protocol (A2MP) — a high-speed transport link used in Bluetooth HS (High Speed) to enable the transfer of more massive amounts of data —  a remote attacker in the short distance could collect kernel stack information in order to predict the memory layout and to defeat address space layout randomization (KASLR).