The flaw itself lies in the BlueZ software stack that is used to implement Bluetooth core protocols and layers on Linux. The software stack is not only used in Linux laptops, but also in many consumer devices as well as in industrial IoT devices.Google engineer Andy Nguyen named the vulnerability BleedingTooth and in a
stated that it is actually a series of zero-click vulnerabilities in the Linux Bluetooth subsystem that could allow an unauthenticated remote attacker to run arbitrary code with kernel privileges on vulnerable devices at close range.
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution— Andy Nguyen (@theflow0) October 13, 2020
Blog post available soon on: https://t.co/2SDRm6PZaQ
Google Security Research Repository: https://t.co/0HolidyWvV
Intel Security Advisory: https://t.co/kfGj3MWajy
According to Nguyen, it was inspired by research that led to the discovery of another proof-of-concept exploit called BlueBorne, which allows an attacker to send commands without a user having to click links.
Although Nguyen has said that BleedingTooth allows attackers to seamlessly execute code within Bluetooth range, Intel believes the flaw provides a means for an attacker to escalate permissions or disclose information.
The chip giant has also issued a recommendation stating that BleedingTooth actually consists of three separate vulnerabilities, tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490. While the first vulnerability had a CVSS score of 8.3 with a high severity rating, the other two had a CVSS score of 5.3. In its BlueZ recommendation, Intel stated that Linux kernel fixes will be released soon, saying:
“Potential security gaps in BlueZ can allow permissions to be escalated or information to be disclosed. BlueZ releases Linux kernel fixes to address these potential vulnerabilities. ”
Intel itself is one of the main people responsible for the BlueZ open source project. According to the chip maker, the only way to fix BleedingTooth is through a series of kernel patches. The vulnerability is not what users should be afraid of because an attacker would have to be in close proximity to a vulnerable Linux device to exploit BleedingTooth.
About Ars Technica
These were the details of the news Google and Intel are concerned about a new Linux vulnerability for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.