FS#68256 : [security][linux][linux-lts] CVE-2020-12351 CVE-2020-12352 CVE-2020-24490

FS#68256 - [security][linux][linux-lts] CVE-2020-12351 CVE-2020-12352 CVE-2020-24490

Attached to Project: Arch Linux
Opened by loqs (loqs) - Wednesday, 14 October 2020, 19:26 GMT
Last edited by freswa (frederik) - Saturday, 17 October 2020, 15:55 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Tobias Powalowski (tpowa) Andreas Radke (AndyRTR) Jan Alexander Steffens (heftig) Levente Polyak (anthraxx)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
Multiple CVEs in the kernel bluetooth subsystem (BleedingTooth)
CVE-2020-12351
A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
A remote attacker in short distance knowing the victim's bd address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges. Malicious Bluetooth chips can trigger the vulnerability as well.

CVE-2020-12352 [3] [4]
A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
A remote attacker in short distance knowing the victim's bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys. Malicious Bluetooth chips can trigger the vulnerability as well.

CVE-2020-24490 [5] [6]
A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c
A remote attacker in short distance can broadcast extended advertising data and cause denial of service or possibly arbitrary code execution with kernel privileges on victim machines if they are equipped with Bluetooth 5 chips and are in scanning mode. Malicious or vulnerable Bluetooth chips (e.g. compromised by BLEEDINGBIT or similar) can trigger the vulnerability as well.

Additional info:
* linux 5.8.14.arch1-1
* linux-lts 5.4.71-1
[1] https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
[2] https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit?id=f19425641cb2572a33cb074d5e30283720bd4d22
[3] https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
[4] https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit?id=eddb7732119d53400f48a02536a84c509692faa8
[5] https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
[6] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e

This task depends upon

Closed by freswa (frederik)
Saturday, 17 October 2020, 15:55 GMT
Reason for closing: Fixed
Additional comments about closing: linux 5.9.1.arch1-1, linux-lts 5.4.72-1, linux-zen 5.9.1.zen1-1 and linux-hardened 5.8.16.a-1

Comment by loqs (loqs) - Wednesday, 14 October 2020, 19:27 GMT

Missed [1] [2] apply to CVE-2020-12351

Comment by loqs (loqs) - Friday, 16 October 2020, 15:50 GMT

Queued for 5.9.1 [1] [2] and 5.4.72 [3] [4]

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/queue-5.9/bluetooth-a2mp-fix-not-initializing-all-members.patch?id=adebf14b1dce2a4058881d3141b3f5a9279e32ce
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/queue-5.9/bluetooth-l2cap-fix-calling-sk_filter-on-non-socket-based-channel.patch?id=adebf14b1dce2a4058881d3141b3f5a9279e32ce
[3] https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/queue-5.4/bluetooth-a2mp-fix-not-initializing-all-members.patch?id=1c620e4373a8e454e6eaf32c2eae4212f8af6d07
[4] https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/queue-5.4/bluetooth-l2cap-fix-calling-sk_filter-on-non-socket-based-channel.patch?id=1c620e4373a8e454e6eaf32c2eae4212f8af6d07

Comment by T.J. Townsend (blakkheim) - Friday, 16 October 2020, 16:28 GMT

linux-hardened is also affected, correct? It's still not even on version 5.9 though.

Comment by loqs (loqs) - Friday, 16 October 2020, 16:48 GMT

The same patches are also queued for 5.8.16.
[1] is not queued for 5.4 / 5.8 is CVE-2020-24490 fixed by [2]?

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/queue-5.8/bluetooth-mgmt-fix-not-checking-if-bt_hs-is-enabled.patch?id=e57bf672b87cb7753fbf3fed38db76f0627a9628

Edit:
[1] is in 5.8 and backported to 5.4.56 as [3] so hence no queued backport. So no Arch packages are vulnerable to CVE-2020-24490.

[3] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.4.56&id=9acd96f14a49f59401478eefe158aec489e0161f

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#68256 - [security][linux][linux-lts] CVE-2020-12351 CVE-2020-12352 CVE-2020-24490

Details

Loading...