A brand new Bluetooth flaw in all but the most recent version of the Linux Kernel has captured the interest of both Google and Intel which have both issued warnings regarding its severity.
The defect itself resides from the BlueZ software stack that is used to implement Bluetooth core layers and protocols in Linux. In addition to being used in Linux notebooks, the software stack can also be utilized in several consumer devices as well as industrial IoT devices.
Google engineer Andy Nguyen has awarded the vulnerability the name BleedingTooth and in a recent tweet, he clarified that it is really”a pair of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker at short space to execute arbitrary code with kernel privileges on vulnerable devices”.
- We have put together a list of the finest antivirus applications around
- Keep your systems updated with the best patch management applications
- Also, take a look at our roundup of the finest Linux notebooks
According to Nguyen, he was inspired by research that resulted in the discovery of the following proof-of-concept exploit called BlueBorne that permits an attacker to send commands without requiring an individual to click on links.
Although Nguyen has stated that BleedingTooth allows seamless code execution by attackers within Bluetooth range, Intel rather believes the flaw provides a way for a person to achieve independence escalation or to disclose information.
The chip giant has also issued an advisory where it clarified that BleedingTooth is actually comprised of three separate vulnerabilities tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490. Even though the first vulnerability has a high-severity CVSS score of 8.3, both have CVSS scores of 5.3. In its own BlueZ advisory, Intel explained that Linux kernel fixes will be released shortly, stating:
“Potential security vulnerabilities in BlueZ may allow escalation of privilege or data disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.”
Intel itself is among the main contributors to the BlueZ open source project and as stated by the chipmaker, a series of kernel patches is the only way to tackle BleedingTooth. While about, the vulnerability isn’t the kind of thing users must be terrified of as an attacker would need to maintain close proximity of an exposed Linux device to exploit BleedingTooth.