## eg '== GNU C Library buffer overflow in __nss_hostname_digits_dots() (CVE-2015-0235 aka GHOST) ==' == Bluetooth/BlueZ information disclosure in BlueZ and remote code execution in the bluetooth L2CAP stack in the Linux kernel (CVE-2017-1000250, CVE-2017-1000251 aka BlueBorne) == ## Description. Should contain a high level description and optional low level description along with how the vulnerability can be exploited and the result of exploitation ## It was [[ | discovered]] that .... An attacker could use this issue to ..., resulting in .... Two issues were [[https://www.armis.com/blueborne/ | discovered]] in the BlueZ stack. The first issue, [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000250.html | CVE-2017-1000250]], is an information disclosure vulnerability in the Service Discover Protocol implementation in the BlueZ bluetoothd userspace daemon. A physically proximate unauthenticated attacker could use this to expose memory from the bluetoothd daemon. The second issue, [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000251.html | CVE-2017-1000251]], is a stack-based buffer overflow in the l2cap_config_rsp() function in the bluetooth L2CAP stack of the Linux kernel. This would normally result in remote code execution; however, Ubuntu kernels are built with the CONFIG_CC_STACKPROTECTOR configuration option enabled as a mitigation, turning a stack-based buffer overflow into a denial of service. A physically proximate unauthenticated attacker could use this to cause a denial of service (system crash). The BlueZ upstream has a fix for CVE-2017-1000250 in their [[https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9e009647b14e810e06626dde7f1bb9ea3c375d09 | git tree]]. Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 17.04 were affected. To address the issue ensure that [[https://launchpad.net/ubuntu/+source/bluez/4.101-0ubuntu13.3 | bluez 4.101-0ubuntu13.3]] (Ubuntu 14.04 LTS), [[https://launchpad.net/ubuntu/+source/bluez/5.37-0ubuntu5.1 | bluez 5.37-0ubuntu5.1 ]] (Ubuntu 16.04 LTS), or [[https://launchpad.net/ubuntu/+source/bluez/5.43-0ubuntu1.1 | bluez 5.43-0ubuntu1.1]] (Ubuntu 17.04) are installed. These updates were announced in [[http://www.ubuntu.com/usn/usn-3413-1 | USN 3413-1]]. The kernel issue, CVE-2017-1000251, was fixed in the upstream [[https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 | Linux kernel]]. Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 17.04, and Ubuntu 12.04 ESM were affected. As of 2017-09-18, updates are available for all releases, and were announced in [[http://www.ubuntu.com/usn/usn-3419-1 | USN 3419-1 (Ubuntu 17.04)]], [[http://www.ubuntu.com/usn/usn-3420-1 | USN 3420-1 (Ubuntu 16.04 LTS)]], [[http://www.ubuntu.com/usn/usn-3422-1 | USN 3422-1 (Ubuntu 14.04 LTS)]], and [[http://www.ubuntu.com/usn/usn-3423-1 | USN 3423-1 (Ubuntu 12.04 ESM)]], along with the corresponding Hardware Enablement (HWE) kernels. ==== Timeline ==== * 2017 Sept 05: received initial notification from Armis Labs * 2017 Sept 12: [[https://www.armis.com/blueborne/ | BlueBorne advisory]] is made public * 2017 Sept 12: [[https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 | linux kernel commit]] is made publicly available * 2017 Sept 12: Ubuntu BlueZ updates are made available in [[http://www.ubuntu.com/usn/usn-3413-1 | USN 3413-1]] * 2017 Sept 18: Ubuntu kernel updates are made available in [[http://www.ubuntu.com/usn/usn-3419-1 | USN 3419-1 (Ubuntu 17.04)]], [[http://www.ubuntu.com/usn/usn-3420-1 | USN 3420-1 (Ubuntu 16.04 LTS)]], [[http://www.ubuntu.com/usn/usn-3422-1 | USN 3422-1 (Ubuntu 14.04 LTS)]], and [[http://www.ubuntu.com/usn/usn-3423-1 | USN 3423-1 (Ubuntu 12.04 ESM)]].