Google has released details of a high-severity flaw affecting the Bluetooth stack in the Linux kernel versions below Linux 5.9 that support BlueZ.
Linux 5.9 was just released two days ago[1] and Intel is recommending in its advisory for the high-severity Bluetooth flaw, CVE-2020-12351[2], to update the Linux kernel to version 5.9 or later.
"Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access," Intel notes in its advisory[3] for CVE-2020-12351. BlueZ is found on Linux-based IoT devices and is the official Linux Bluetooth stack[4].
SEE: Security Awareness and Training policy[5] (TechRepublic Premium)
Intel says the BlueZ project is releasing Linux kernel fixes to address the high-severity flaw, as well as fixes for two medium-severity flaws, CVE-2020-12352 and CVE-2020-24490.
CVE-2020-12352 is due to improper access control in BlueZ that "may allow an unauthenticated user to potentially enable information disclosure via adjacent access." CVE-2020-24490 refers to BlueZ's lack of proper buffer restrictions that "may allow an unauthenticated user to potentially enable denial of service via adjacent access."
Andy Nguyen, a security engineer from Google, reported the bugs to Intel.
Researchers from Purdue University last month[6] claimed that BlueZ was also vulnerable to BLESA (Bluetooth Low Energy Spoofing Attack), along with the Fluoride (Android), and the iOS BLE stack.
Google has detailed the bugs on the Google Security Research Repository on GitHub. Nguyen's description of the BleedingTooth vulnerability[7] sounds more serious than Intel's write-up.
Nguyen says it's a "zero click" Linux Bluetooth Remote Code Execution flaw and has published a short video demonstrating the attack[8] using commands on one Dell XPS 15 laptop running Ubuntu to open the calculator on