Zero-click RCE flaw allows hacking Linux machines remotely: BleedingTooth vulnerability

Google security teams have released a report detailing a severe vulnerability present in the Bluetooth stack in Linux kernel versions earlier than 5.9 that support BlueZ. Linux 5.9 has been available for a couple of days, and Intel recommends users upgrade to this version to prevent the exploitation of CVE-2020-12351.

In its security alert, Intel mentions, “Incorrect entry validation in BlueZ would allow unauthenticated threat actors to deploy a privilege escalation through adjacent access.” BlueZ is included in Linux-based Internet of Things (IoT) devices, operating as the official Bluetooth stack; Intel mentions that this project is preparing some Linux kernel fixes to fix these flaws, in addition to other vulnerabilities reported above. 

The flaws addressed, identified as CVE-2020-12352 and CVE-2020-24490, exist due to inadequate access controls in BlueZ, allowing threat actors to enable information disclosure through adjacent access. Andy Nguyen, a member of Google’s security team, reported the flaws to Intel.

On the other hand, experts at Purdue University reported that BlueZ is also vulnerable to Bluetooth (BLESA) low-energy phishing attacks. Google has released a thorough report on these flaws on GitHub, as they consider this to be much more serious than Intel reports.

BlueZ contains several Bluetooth modules, including the core of the Bluetooth kernel subsystem and the L2CAP and SCO audio kernel layers. Google report mentions that a threat actor within the range of the Bluetooth protocol could execute arbitrary code with kernel privileges if they know the address of the target device: “Attackers who know the victim’s bd address could send a malicious l2cap packet to deploy a denial-of-service condition or arbitrary code execution” , mentions the report.

This flaw, dubbed BleedingTooth, affects kernel versions 5.8 and higher, but earlier than 5.9.