Zero-click Linux Bluetooth vulnerability allows taking control remotely without even user clicking a link

After months of research and rumors, the technical details of BleedingTooth, a zero-click attack on the Linux Bluetooth subsystem that would have allowed unauthenticated threat actors to execute arbitrary code with kernel privileges, have finally been revealed.

BleedingTooth are actually three flaws found in BlueZ, the official Linux Bluetooth protocol stack available on any computer and Internet of Things (IoT) device based on Linux systems.

Andy Nguyen, Google’s security specialist, published a paper in which he describes in great detail how he discovered and chained these flaws to lead to remote code execution on a device with Ubuntu system employed as a test environment.

In his report, the expert notes that it was based on BlueBorne’s report, a set of Bluetooth vulnerabilities detected in 2017: “Prior to BlueBorne’s discovery, the investigation of Bluetooth attacks was limited to the analysis of firmware vulnerabilities or specifications that could be malicious.”

Of the flaws detected by Nguyen, the most serious one (CVE-2020-12351) is related to a heap-based type confusion issue that received an 8.3/10 score on the Common Vulnerability Scoring System (CVSS) scale: “An attacker close to a Bluetooth-enabled device can send malicious l2cap packets, leading to a denial of service (DoS) scenario and even arbitrary code execution,” the researcher says.

On the remaining two flaws, the Expert Advisor notes that CVE-2020-12352 is an inadequate access control error, while CVE-2020-24490 is an incorrect buffer condition. Both flaws received average severity scores according to CVSS.

The flaws were patched in the Linux v5.10 kernel, which was released on October 14, just a couple of days after public disclosure of the flaws.

Finally revealing his findings, Nguyen was pleased with the work done by kernel maintainers: “I am glad that, as a result of this work, developers disabled the high-speed Bluetooth feature to mitigate the risk of exploitation.” Although it is unlikely that a threat actor will be able to exploit these flaws, I am glad to have contributed to the use of a more secure and stable kernel,” Nguyen concluded.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.