BleedingTooth Linux Exploit Can Lead to Remote Code Execution Within Bluetooth Range
A new Bluetooth security vulnerability has appeared, and this time Linux is under the gun. Andy Nguyen, an information security researcher, discovered the vulnerabilities. They are collectively known as BleedingTooth, which allows for zero-click remote code execution on Linux devices within Bluetooth range. The code can be executed with kernel privileges, and Intel has rated the exploit at an 8.3 on the common vulnerability scoring system (CVSS).
According to the research page for CVE-2020-12351, BleedingTooth is a "Heap-Based Type Confusion in L2CAP." What this means is that a malicious user can send data to the Bluetooth subsystem (BlueZ program) in Linux, after which the code for the subsystem does not check the type of payload. As a result, the injection is read into the subsystem, and it can lead to further code execution. As the research page explains, "A remote attacker in short distance knowing the victim's bd [Bluetooth Device] address can send a malicious l2cap packet and cause denial of service or possibly arbitrary code execution with kernel privileges." Andy Nguyen showcased this vulnerability in the video below, where he launched a calculator program on a remote machine.
Intel reports that any Linux kernel versions before 5.10 that support BlueZ (the Linux Bluetooth stack) are vulnerable to the attack. While the exploit could be bad, as some comments have said, "Bluetooth range is punching range," so executing an attack could be difficult. Furthermore, users could disable Bluetooth until their systems are patched. No matter what, if you are a Linux user, this is something to be aware of, so keep an eye on the Intel Security Center for more information on steps to take if you are affected.