BlueBorne Bluetooth Vulnerabilities

1. CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) – CVE-2017-1000251

Linux kernel versions from 3.3-rc1 to present contain a vulnerable implementation of L2CAP EFS within the BlueZ module. The l2cap_parse_conf_rsp function does not properly check then length of the rsp argument prior to unpacking, allowing an attacker to overflow a 64 byte buffer on the kernel stack with an unlimited amount of data crafted to conform to a valid L2CAP response.

2. CWE-125: Out-of-bounds Read – CVE-2017-1000250

All versions of BlueZ for Linux contains a vulnerable implementation of SDP. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer.

3. CWE-125: Out-of-bounds Read – CVE-2017-0785

All versions of Android prior to September 9, 2017 Security Patch level contain a vulnerable implementation of SDP within the Android Bluetooth software stack. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer. While a similar flaw to CVE-2017-1000250, this is a distinct vulnerability in a different software stack.

4. CWE-122: Heap-based Buffer Overflow – CVE-2017-0781

In all versions of Android prior to September 9, 2017 Security Patch level, an incorrect buffer size passed to a memcpy call within the BNEP implementation for Android may allow an attacker to send crafted packets to the device that overflow the heap.

5. CWE-191: Integer Underflow (Wrap or Wraparound) – CVE-2017-0782

In all versions of Android prior to September 9, 2017 Security Patch level, the bnep_process_control_packet function of the BNEP implementation for Android does not properly check the size of rem_len before decrementing, allowing integer underflow and further unsafe processing of attacker-controlled packets.

6. CWE-122: Heap-based Buffer Overflow– CVE-2017-14315

Apple’s Bluetooth Low-Energy Audio Protocol (LEAP) implementation in iOS version 9.3.5 and lower, and AppleTV tvOS version 7.2.2 and lower, does not properly validate the CID for incoming Bluetooth LEAP audio data, which may result in a heap overflow by not properly validating packet size before calling memcpy. An attacker sending “classic” (non-low-energy) Bluetooth packets may be able to cause multiple heap overflows resulting in code execution with the Bluetooth stack context.

7 and 8. CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’) – CVE-2017-0783 and CVE-2017-8628

Incorrect “Security Level” requirements in the PAN profile of the Bluetooth implementation may allow an attacker to gain permissions to perform man in the middle attacks on the user. CVE-2017-0783 applies to all versions of Android prior to the September 9, 2017, Security Patch Level, while CVE-2017-8628 applies to a similar flaw in all versions of Windows from Windows Vista to Windows 10.

For more details, please read Armis’s BlueBorne disclosure website and Technical White Paper.