FS#68256 - [security][linux][linux-lts] CVE-2020-12351 CVE-2020-12352 CVE-2020-24490

Attached to Project: Arch Linux
Opened by loqs (loqs) - Wednesday, 14 October 2020, 19:26 GMT
Last edited by freswa (frederik) - Saturday, 17 October 2020, 15:55 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Tobias Powalowski (tpowa)
Andreas Radke (AndyRTR)
Jan Alexander Steffens (heftig)
Levente Polyak (anthraxx)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Multiple CVEs in the kernel bluetooth subsystem (BleedingTooth)
CVE-2020-12351
A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
A remote attacker in short distance knowing the victim's bd address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well.

CVE-2020-12352 [3] [4]
A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
A remote attacker in short distance knowing the victim's bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys. Malicious Bluetooth chips can trigger the vulnerability as well.

CVE-2020-24490 [5] [6]
A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c
A remote attacker in short distance can broadcast extended advertising data and cause denial of service or possibly arbitrary code execution with kernel privileges on victim machines if they are equipped with Bluetooth 5 chips and are in scanning mode. Malicious or vulnerable Bluetooth chips (e.g. compromised by BLEEDINGBIT or similar) can trigger the vulnerability as well.

Additional info:
* linux 5.8.14.arch1-1
* linux-lts 5.4.71-1
[1] https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
[2] https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit?id=f19425641cb2572a33cb074d5e30283720bd4d22
[3] https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
[4] https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit?id=eddb7732119d53400f48a02536a84c509692faa8
[5] https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
[6] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e
This task depends upon

Closed by  freswa (frederik)
Saturday, 17 October 2020, 15:55 GMT
Reason for closing:  Fixed
Additional comments about closing:  linux 5.9.1.arch1-1, linux-lts 5.4.72-1, linux-zen 5.9.1.zen1-1 and linux-hardened 5.8.16.a-1
Comment by loqs (loqs) - Wednesday, 14 October 2020, 19:27 GMT
Missed [1] [2] apply to CVE-2020-12351
Comment by loqs (loqs) - Friday, 16 October 2020, 15:50 GMT Comment by T.J. Townsend (blakkheim) - Friday, 16 October 2020, 16:28 GMT
linux-hardened is also affected, correct? It's still not even on version 5.9 though.
Comment by loqs (loqs) - Friday, 16 October 2020, 16:48 GMT

Loading...