Bluetooth/BlueZ information disclosure in BlueZ and remote code execution in the bluetooth L2CAP stack in the Linux kernel (CVE-2017-1000250, CVE-2017-1000251 aka BlueBorne)
Two issues were discovered in the BlueZ stack. The first issue, CVE-2017-1000250, is an information disclosure vulnerability in the Service Discover Protocol implementation in the BlueZ bluetoothd userspace daemon. A physically proximate unauthenticated attacker could use this to expose memory from the bluetoothd daemon.
The second issue, CVE-2017-1000251, is a stack-based buffer overflow in the l2cap_config_rsp() function in the bluetooth L2CAP stack of the Linux kernel. This would normally result in remote code execution; however, Ubuntu kernels are built with the CONFIG_CC_STACKPROTECTOR configuration option enabled as a mitigation, turning a stack-based buffer overflow into a denial of service. A physically proximate unauthenticated attacker could use this to cause a denial of service (system crash).
The BlueZ upstream has a fix for CVE-2017-1000250 in their git tree. Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 17.04 were affected. To address the issue ensure that bluez 4.101-0ubuntu13.3 (Ubuntu 14.04 LTS), bluez 5.37-0ubuntu5.1 (Ubuntu 16.04 LTS), or bluez 5.43-0ubuntu1.1 (Ubuntu 17.04) are installed. These updates were announced in USN 3413-1.
The kernel issue, CVE-2017-1000251, was fixed in the upstream Linux kernel. Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 17.04, and Ubuntu 12.04 ESM were affected. As of 2017-09-18, updates are available for all releases, and were announced in USN 3419-1 (Ubuntu 17.04), USN 3420-1 (Ubuntu 16.04 LTS), USN 3422-1 (Ubuntu 14.04 LTS), and USN 3423-1 (Ubuntu 12.04 ESM), along with the corresponding Hardware Enablement (HWE) kernels.
- 2017 Sept 05: received initial notification from Armis Labs
2017 Sept 12: BlueBorne advisory is made public
2017 Sept 12: linux kernel commit is made publicly available
2017 Sept 12: Ubuntu BlueZ updates are made available in USN 3413-1