SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#685461

Linux kernel Bluetooth support fails to properly bounds check "protocol" variable

Overview

Linux kernels with Bluetooth support do not adequately validate the "protocol" value, allowing a local user to execute arbitrary code with elevated privileges.

I. Description

Linux kernels with Bluetooth support may contain a local root vulnerability, even if Bluetooth hardware is not present. A call to socket() may bypass a bounds check on the protocol value. This value is used at a later point as an index to a function pointer, making it possible for an attacker to execute arbitrary code from memory regions controlled by the attacker.

The flawed Bluetooth kernel modules are present by default on some Linux distributions and are frequently loadable by unprivileged users.

II. Impact

An unprivileged, local, authenticated user may be able to gain elevated privileges, even on systems without Bluetooth drivers previously loaded or on systems without Bluetooth hardware installed.

III. Solution

Apply An Update

This issue is addressed in Linux kernels 2.4.30-rc2 and 2.6.11.6.

Disable Bluetooth Support

As a workaround, administrators may remove the bluetooth kernel module(s) from their system.

Install Kernel Modules

Suresec Ltd. has also created loadable kernel modules which check protocol and domain values for validity before being used in the flawed Bluetooth code. More information is available in Suresec security advisory 1.

Systems Affected

VendorStatusDate NotifiedDate Updated
Debian LinuxUnknown8-Apr-2005
EngardeUnknown8-Apr-2005
Hewlett-Packard CompanyUnknown8-Apr-2005
IBM eServerUnknown8-Apr-2005
IBM zSeriesUnknown8-Apr-2005
ImmunixUnknown8-Apr-2005
Ingrian Networks, Inc.Unknown8-Apr-2005
Linux Kernel ArchivesVulnerable5-Apr-2005
Mandriva, Inc.Unknown8-Apr-2005
Mandriva, Inc.Unknown8-Apr-2005
MontaVista Software, Inc.Unknown8-Apr-2005
Novell, Inc.Unknown8-Apr-2005
Openwall GNU/*/LinuxUnknown8-Apr-2005
Red Hat, Inc.Vulnerable22-Dec-2005
Sequent Computer Systems, Inc.Unknown8-Apr-2005
Sun Microsystems, Inc.Unknown8-Apr-2005
SUSE LinuxUnknown8-Apr-2005
The SCO Group (SCO Linux)Unknown8-Apr-2005
TurboLinuxUnknown8-Apr-2005

References


http://secunia.com/advisories/14713/
http://www.suresec.org/advisories/adv1.pdf

Credit

Thanks to Suresec Ltd for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

Date Public:2005-03-27
Date First Published:2005-04-05
Date Last Updated:2005-12-22
CERT Advisory: 
CVE-ID(s):CAN-2005-0750
NVD-ID(s):CAN-2005-0750
US-CERT Technical Alerts: 
Metric:8.78
Document Revision:22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader