Linux kernels with Bluetooth support do not adequately validate the "protocol" value, allowing a local user to execute arbitrary code with elevated privileges.
Linux kernels with Bluetooth support may contain a local root vulnerability, even if Bluetooth hardware is not present. A call to socket() may bypass a bounds check on the protocol value. This value is used at a later point as an index to a function pointer, making it possible for an attacker to execute arbitrary code from memory regions controlled by the attacker.
The flawed Bluetooth kernel modules are present by default on some Linux distributions and are frequently loadable by unprivileged users.
An unprivileged, local, authenticated user may be able to gain elevated privileges, even on systems without Bluetooth drivers previously loaded or on systems without Bluetooth hardware installed.
Apply An Update
Thanks to Suresec Ltd for reporting this vulnerability.
|Date First Published:||2005-04-05|
|Date Last Updated:||2005-12-22 19:16 UTC|