BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution

theseer · 15 October 2020 11:04

As pre-announced via twitter the google security research team found a zero-click RCE in the bluetooth stack of the Linux Kernel (https://twitter.com/theflow0/status/1316071793707364353).

Presumably, SFOS is also affected?

nephros · 15 October 2020 11:55

It would be interesting to see if the exploit actually works on SFOS. Maybe the wonky BT support makes the vulnerability not work?

Also, I understand the J1 and older devices are on BlueZ 4.x not 5.x, is BlueZ 4.x also exploitable?

theseer · 15 October 2020 12:07

Since the Blogpost with details has not yet been published - at least at the time of this writing - I have no means of knowing.

I just figured I raise this topic here so it get’s the attention potentially required…

michfu · 16 October 2020 09:26

Intel says:

Affected Products:
All Linux kernel versions that support BlueZ.

They just provided patches for upcoming 5.10. So the fixes have to be backported to older kernels by distributions.

jemmjemm · 20 October 2020 10:28

The “Bleeding Tooth” aka CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490 vulnerability is now fixed on kernel side. The fixes are in versions 5.9.1, 5.8.16, 5.4.72, 4.19.152, 4.14.202, 4.9.240, 4.4.240.

Latest Sailfish 3.4.x runs kernel 4.9.221 and by definition it is vulnerable. Of course the question is, if actual implementation in Sailfish is also exploitable.

Nevertheless… the issue is serious and I guess, that quite on lot of Sailfish-users expect official feedback on this from Jolla.

Until then the only possible defence is avoiding or cutting back on Bluetooth usage when you are not alone or surrounded by people you trust.

michfu · 20 October 2020 12:59

Every device runs a different version of the kernel.

my Xperia X with SailfishOS 3.4.0.24: 3.10.84

jemmjemm · 20 October 2020 13:01

True, I forgot all the variations. 4.9.221 applies to Sony Xperia 10 in this case.

takimata · 20 October 2020 13:13

Unfortunately the kernel version also depends on the device.
My Xperia X runs a 3.10.84 (aka undead frankenstein) kernel and Jolla said that there won’t be any kernel updates for these older devices (because of understandable reasons detailed somewhere in the old forum. Sorry, couldn’t find the link right now).

So probably these kernel patches will never make it to all Sailfish devices currently in use. So, just don’t use Bluetooth…

edit: too late

peterleinchen · 20 October 2020 22:57

XA2 (dual SIM) has 4.4.189

jemmjemm · 21 October 2020 06:37

I had a look at Jolla 1, if updated to 3.4.0.24 it runs 3.4.108 kernel and seems that’s not affected.

Looks like that errors have been introduced in different times:

CVE-2020-12351 affects kernel 4.8 and higher
CVE-2020-12352 affects kernel 3.6 and higher
CVE-2020-24490 affects kernel 4.19 and higher

CVE-2020-12351 has a high severity rating and others have medium risk.

Updated to Sailfish 3.4.0.24 kernels seem to be:

Jolla 1 - 3.4.108
Xperia X - 3.10.84
Xperia 10 - 4.9.221
Xperia XA2 - 4.4.189
but there are more devices in use

Of those Xperia 10 has the highest risk exposed, for others it is medium risk if any.