Google and Intel have discovered a very serious security vulnerability that affects all versions of the Linux kernel from 4.8, except the most recent, version 5.9 released on Monday. Vulnerability resides in BlueZ, the software stack that by default implements all base layers and protocols of Bluetooth wireless technology for Linux. According to a Google researcher, the flaw allows transparent execution of code in the Bluetooth gate and according to Intel, the vulnerability provides escalation of privileges or disclosure of information.
BlueZ is software that implements Bluetooth wireless technology on GNU / Linux operating systems. It was originally created by Max Krasnyansky of the company Qualcomm, but the company made it open source and released under the GNU GPL in 2001. BlueZ subsequently became the benchmark Bluetooth implementation for Linux and was incorporated to the core. It is officially part of the Linux kernel since version 2.4.6. Apart from Linux laptops, BluZ is used in many consumer and industrial internet devices.
Google engineer Andy Nguyen, the originator of the discovery has dubbed the flaw BleedingTooth, but as of yet, there is very little information on it. However, he promised to shed more light on the matter in the coming days. In the meantime, in a tweet and a video on YouTube, he has provided some details on the vulnerability. According to these sources, the bug represents a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices, especially Linux devices with version 4.8 or higher, except version 5.9.
Google detailed the vulnerability on the company’s security research repository on GitHub. In the video, Nguyen showed how the attack can occur by using commands on a Dell XPS 15 powered by Ubuntu laptop to open the calculator on a second Dell laptop, still running Ubuntu, without any action being taken. performs on the latter. Likewise, it should be noted that BlueZ contains several Bluetooth modules, including the core of the central Bluetooth subsystem and the L2CAP and SCO audio core layers.
According to Francis Perry of Google’s Product Security Incident Response Team, a Bluetooth-ported attacker with the target’s Bluetooth device address (bd address) can execute an arbitrary code with kernel privileges. A short range attacker who has the victim’s bd address can send a malicious l2cap packet and cause a service denial or possibly the execution of an arbitrary code with kernel privileges. Malicious Bluetooth chips can also trigger the vulnerability, Perry wrote.
Google has released a proof of concept exploit code for the BleedingTooth vulnerability. He also promised to post more information about BleedingTooth on the company’s security blog shortly. For its part, Intel published a bulletin that classifies the flaw as either a privilege escalation vulnerability or a vulnerability allowing data disclosure. The document published by the OEM gives a severity rating of 8.3 out of 10 for CVE-2020-12351, one of the three separate bugs that make up BleedingTooth.
Potential security vulnerabilities in BlueZ can allow escalation of privileges or disclosure of information, Intel wrote. BlueZ is releasing Linux kernel patches to address these potential flaws, he added. The company has a few fixes that you could install if a kernel upgrade is not possible. The flaw exists, but security experts say there’s no reason to panic, because like almost all Bluetooth-related security holes, BleedingTooth requires proximity to a vulnerable device.
It also requires highly specialized knowledge and only works on a tiny fraction of the world’s Bluetooth devices. These limitations significantly reduce the number of people, if any, who are able to successfully carry out an attack.
Sources : Google, Document dIntel
And you ?
What do you think ?
See as well
Linux 5.9 is released. This release increases CPU performance with FSGSBASE support and includes various new features and improvements
UOS Linux: meet the new Chinese OS capable of booting in 30 s on local processors and on which the country relies to replace Windows
Linux: Microsoft offers up to $ 100,000 which can hack its customized version of the operating system dedicated to securing its enterprise solutions for the IoT
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!
These were the details of the news Google and Intel warn of Linux security bug that allows malicious... for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at en24news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.
