search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Linux kernel Bluetooth support fails to properly bounds check "protocol" variable

Vulnerability Note VU#685461

Original Release Date: 2005-04-05 | Last Revised: 2005-12-22

Overview

Linux kernels with Bluetooth support do not adequately validate the "protocol" value, allowing a local user to execute arbitrary code with elevated privileges.

Description

Linux kernels with Bluetooth support may contain a local root vulnerability, even if Bluetooth hardware is not present. A call to socket() may bypass a bounds check on the protocol value. This value is used at a later point as an index to a function pointer, making it possible for an attacker to execute arbitrary code from memory regions controlled by the attacker.

The flawed Bluetooth kernel modules are present by default on some Linux distributions and are frequently loadable by unprivileged users.

Impact

An unprivileged, local, authenticated user may be able to gain elevated privileges, even on systems without Bluetooth drivers previously loaded or on systems without Bluetooth hardware installed.

Solution

Apply An Update
This issue is addressed in Linux kernels 2.4.30-rc2 and 2.6.11.6.


Disable Bluetooth Support

As a workaround, administrators may remove the bluetooth kernel module(s) from their system.

Install Kernel Modules

Suresec Ltd. has also created loadable kernel modules which check protocol and domain values for validity before being used in the flawed Bluetooth code. More information is available in Suresec security advisory 1.

Vendor Information

685461
 
Affected   Unknown   Unaffected

Linux Kernel Archives

Updated:  April 05, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in Linux kernels 2.4.30-rc2 and 2.6.11.6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  April 05, 2005 Updated:  December 22, 2005

Status

  Vulnerable

Vendor Statement

This issue could affect Red Hat Enterprise Linux 2.1, 3, and 4 users where the
bluetooth modules are loaded.  Updated kernel packages are available at the URL
below and by using the Red Hat Network 'up2date' tool.

http://rhn.redhat.com/errata/CAN-2005-0750.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian Linux

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM zSeries

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks, Inc.

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc.

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc.

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

SUSE/Novell has released fixed packages to fix this problem, documented in this security advisory:

http://www.novell.com/linux/security/advisories/2005_21_kernel.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Computer Systems, Inc.

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc.

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux

Notified:  April 05, 2005 Updated:  April 08, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 19 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Suresec Ltd for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs: CVE-2005-0750
Severity Metric: 8.78
Date Public: 2005-03-27
Date First Published: 2005-04-05
Date Last Updated: 2005-12-22 19:16 UTC
Document Revision: 22

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.