Vulnerabilities in Linux Bluetooth Stack Allow Zero-Click Attacks

Vulnerabilities can be exploited to run arbitrary code or access confidential information.


Vulnerabilities in the official Bluetooth protocol stack in the Linux kernel ( CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 ), dubbed BleedingTooth, can be exploited to launch arbitrary code or access confidential information.

The most dangerous issue is heap-based data types mismatch (CVE-2020-12351) affecting Linux kernel 4.8 and older. The vulnerability was rated 8.3 on the CVSS scale.

The problem could be exploited within Bluetooth range by a remote attacker who knows the Bluetooth MAC address of the target device. The exploitation takes place by sending a malicious l2cap packet that can cause a "denial of service" condition or allow arbitrary code to be executed with kernel privileges.

The PoC code for exploiting this vulnerability has been published on GitHub . Security researcher Andy Nguyen of Google, who discovered the vulnerabilities, explained that the problem does not require user interaction and allows a zero-click attack.

The second issue (CVE-2020-12352) is a stack disclosure vulnerability that affects Linux kernels 3.6 and later. The vulnerability was rated 5.3 on the CVSS scale. A remote attacker at a short distance, knowing the victim's Bluetooth MAC address, can obtain kernel stack information containing various pointers that can be used to predict the memory structure and to bypass the KASLR (kernel address space allocation randomization) protection.

The third vulnerability (CVE-2020-24490) is a heap buffer overflow that affects Linux kernels 4.19 and later. It can be used to invoke a "denial of service" state or execute arbitrary code with kernel privileges.

According to experts, only devices equipped with Bluetooth 5 chips and in scanning mode are vulnerable.

All News

Scroll top