search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Multiple Bluetooth implementation vulnerabilities affect many devices

Vulnerability Note VU#240311

Original Release Date: 2017-09-12 | Last Revised: 2017-11-08

Overview

A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device.

Description

The following vulnerabilities have been identified in various Bluetooth implementations:

1. CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2017-1000251

Linux kernel versions from 3.3-rc1 to present contain a vulnerable implementation of L2CAP EFS within the BlueZ module. The l2cap_parse_conf_rsp function does not properly check then length of the rsp argument prior to unpacking, allowing an attacker to overflow a 64 byte buffer on the kernel stack with an unlimited amount of data crafted to conform to a valid L2CAP response.

2. CWE-125: Out-of-bounds Read - CVE-2017-1000250

All versions of BlueZ for Linux contains a vulnerable implementation of SDP. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer.

3. CWE-125: Out-of-bounds Read - CVE-2017-0785

All versions of Android prior to September 9, 2017 Security Patch level contain a vulnerable implementation of SDP within the Android Bluetooth software stack. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer. While a similar flaw to CVE-2017-1000250, this is a distinct vulnerability in a different software stack.

4. CWE-122: Heap-based Buffer Overflow - CVE-2017-0781

In all versions of Android prior to September 9, 2017 Security Patch level, an incorrect buffer size passed to a memcpy call within the BNEP implementation for Android may allow an attacker to send crafted packets to the device that overflow the heap.

5. CWE-191: Integer Underflow (Wrap or Wraparound) - CVE-2017-0782

In all versions of Android prior to September 9, 2017 Security Patch level, the bnep_process_control_packet function of the BNEP implementation for Android does not properly check the size of rem_len before decrementing, allowing integer underflow and further unsafe processing of attacker-controlled packets.

6. CWE-122: Heap-based Buffer Overflow- CVE-2017-14315

Apple's Bluetooth Low-Energy Audio Protocol (LEAP) implementation in iOS version 9.3.5 and lower, and AppleTV tvOS version 7.2.2 and lower, does not properly validate the CID for incoming Bluetooth LEAP audio data, which may result in a heap overflow by not properly validating packet size before calling memcpy. An attacker sending "classic" (non-low-energy) Bluetooth packets may be able to cause multiple heap overflows resulting in code execution with the Bluetooth stack context.

7 and 8. CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') - CVE-2017-0783 and CVE-2017-8628

Incorrect "Security Level" requirements in the PAN profile of the Bluetooth implementation may allow an attacker to gain permissions to perform man in the middle attacks on the user. CVE-2017-0783 applies to all versions of Android prior to the September 9, 2017, Security Patch Level, while CVE-2017-8628 applies to a similar flaw in all versions of Windows from Windows Vista to Windows 10.

For more details, please read Armis's BlueBorne disclosure website and Technical White Paper.

Impact

An unauthenticated, remote attacker may be able to obtain private information about the device or user, or execute arbitrary code on the device.

Solution

Apply an update

Patches are available in the latest releases of Windows (see Microsoft bulletin), iOS, the Linux kernel, and Android (see September 2017 security bulletin).

Check with your device manufacturer to determine if firmware updates will be available.

Phones and other mobile devices in the US running Android are likely to see delayed updates, or possibly never receive updates, due to the complexity of the US mobile ecosystem which typically requires manufacturer and carrier support to push updates.

If an update is not available, affected users should consider the following workaround

Disable Bluetooth on your device

Affected users should consider disabling Bluetooth on affected devices if Bluetooth is unused or unnecessary.

Vendor Information

240311
Expand all

Android Open Source Project

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BlackBerry

Notified:  September 18, 2017 Updated:  September 19, 2017

Statement Date:   September 19, 2017

Status

  Affected

Vendor Statement

From the BlackBerry security notice:

"BlackBerry recommends that all users of BlackBerry powered by Android smartphones should update to the September Security Maintenance release as soon as it is available.

There is no action necessary for users of BlackBerry 10 or BlackBerry OS smartphones.

BlackBerry recommends keeping server and device operating systems up to date.

QNX customers should contact their Bluetooth stack vendor for guidance."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.blackberry.com/kb/articleDetail?articleNumber=000045807&language=en_US

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Google

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo

Notified:  September 12, 2017 Updated:  September 19, 2017

Statement Date:   September 19, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Some Lenovo products are affected; patches are available. Users are encouraged to check Lenovo Security Advisory LEN-17125 for details.

Vendor References

https://support.lenovo.com/us/en/product_security/LEN-17125

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  September 12, 2017 Updated:  September 13, 2017

Statement Date:   September 12, 2017

Status

  Affected

Vendor Statement

Microsoft released security updates on July 11, 2017, and customers who have Windows Update enabled and applied the security updates, are protected automatically.

Vendor Information

CVE-2017-8628 describes this vulnerability in affected Microsoft products.

Vendor References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Samsung Mobile

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Tizen

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Technicolor

Updated:  November 08, 2017

Statement Date:   October 18, 2017

Status

  Not Affected

Vendor Statement

Technicolor products are unaffected since most of them do not provide Bluetooth capacity.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Amazon

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Barnes and Noble

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

HTC

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Huawei Technologies

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Kyocera Communications

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

LG Electronics

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Motorola, Inc.

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xiaomi

Notified:  September 12, 2017 Updated:  September 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.9 AV:A/AC:M/Au:N/C:C/I:C/A:C
Temporal 6.2 E:POC/RL:OF/RC:C
Environmental 6.2 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

These vulnerabilities were publicly disclosed by Ben Seri and Gregory Vishnepolsky of Armis. Armis acknowledges Alon Livne for the Linux RCE (CVE-2017-1000251) exploit.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-8628, CVE-2017-14315, CVE-2017-1000250, CVE-2017-1000251
Date Public: 2017-09-12
Date First Published: 2017-09-12
Date Last Updated: 2017-11-08 20:46 UTC
Document Revision: 55

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.