Proficio has observed several open sources of intelligence that have detailed the release of multiple critical vulnerabilities for Bluetooth and an attack vector utilizing those vulnerabilities known as “BlueBorne.” Here are the details we have gathered so far.
BlueBorne Summary
Multiple news outlets have reported the discovery of several important vulnerabilities in both the design and implementation of the Bluetooth communication protocol. These vulnerabilities are notable for both their unusual reach and effectiveness since, according to sources, unpatched devices can be compromised by attacking devices within 32 feet, with the only requirements being that the Bluetooth must be turned on. The vulnerabilities are further magnified by Bluetooth being the leading and most widely utilized protocol for short-range connectivity and communications. These vulnerabilities can be utilized by attackers to run malicious codes on vulnerable devices as well as perform Man-in-the-Middle (MITM) attacks. More information can be found here.
Technical Details
There are eight fully operational and exploitable vulnerabilities identified and released at this time.
1. Linux kernel RCE vulnerability – CVE-2017-1000251
This vulnerability allows an attacker to perform a buffer overflow attack on a 64-byte buffer on the kernel stack by an unlimited amount of data. While stack overflow attacks does not automatically translate into code execution due to the presence of mitigation techniques on modern operating systems, most devices running Linux today lack such mitigation techniques like stack canaries and Kernel Address Space Layout Randomization.
2. Linux Bluetooth stack (BlueZ) information Leak vulnerability – CVE-2017-1000250
This vulnerability is due to a mistake in the implementation of fragmentation mechanisms within Bluetooth’s Service Discovery Protocol (SDP) on Linux systems. The vulnerability allows an attacker to perform an out of bounds read from the response buffer sent from an SDP server. BlueZ comprises two parts, one running in the kernel and the other in the user space within the Bluetooth process. Some examples of the critical data that can be leaked include encryption keys used in Bluetooth communications.
3. Android information Leak vulnerability – CVE-2017-0785
This vulnerability is due to a mistake in the implementation of fragmentation mechanisms within Bluetooth’s Service Discovery Protocol (SDP) on Android systems. As with the vulnerability described above, this allows an attacker to effectively perform an out of bound read from the response buffer sent from an SDP server. Some of the data that can then be leaked include encryption keys, address spaces and pointers
4. Android RCE vulnerability #1 – CVE-2017-0781
This is the first of two vulnerabilities found in the code flow handling incoming Bluetooth Network Encapsulation Protocol control messages. This vulnerability allows an attacker to use an arbitrarily sized packet to overflow 8 bytes on the heap following a buffer of any chosen size.
This is made easier as the Bluetooth service in Android is immediately and automatically restarted by the Android Service Manager when it crashes.
5. Android RCE vulnerability #2 – CVE-2017-0782
This is the second of two vulnerabilities found in the code flow handling incoming Bluetooth Network Encapsulation Protocol control messages. This vulnerability allows an attacker to create a heap spray and cause remote code execution if the heap is groomed prior to the overflow.
This is made easier as the Bluetooth service in Android is immediately and automatically restarted by the Android Service Manager when it crashes.
6 & 7. The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783 and the Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628
The Security Management Protocol within Bluetooth allows for the bypass of authentication and short-term pairing with an Android or Windows devices. This allows an attacker to obtain access to higher level services and profiles such as PAN. Due to the low security level requirement, an attacker can leverage the capabilities of the PAN profile without any authorization to force the victim device to treat the attacker as a new network interface, forcing a DHCP request from the victim. This allows an attacker to perform a MITM attack much like the WiFi Pineapple without any user interaction required.
8. Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315
This vulnerability was identified within a protocol created by Apple operating on top of Bluetooth, known as Low Energy Audio Protocol (LEAP). Insufficient validation allows an attacker to achieve a heap overflow. As this can be triggered multiple times, code execution can be achieved. Again, an attack on this vulnerability does not require any user interaction.
Current Protection Provided by Security Vendors
As is common with such releases, patches are typically made available prior to the release of information. ProSOC notes the following vendors have verified patches:
Microsoft:
All identified vulnerabilities in BlueBorne has been addressed and patched in this month’s security advisory
https://support.microsoft.com/en-us/help/20170912/security-update-deployment-information-september-12-2017
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Google (Android):
Google has provided device manufacturers with a patch last month, and the patches were made available for users of Google branded phones.
https://source.android.com/security/bulletin/2017-09-01
Apple:
Only Apple’s iOS prior to version 10 are vulnerable. The vulnerability was already mitigated by Apple in iOS 10.
Recommendations and Summary
While it is unlikely that mission-critical systems are Bluetooth enabled, the vulnerabilities and exploits tied to those vulnerabilities require no user or victim interactions and are therefore worm-able. This means that such vulnerabilities can be exploited much like WannaCry with ShadowBroker’s exploits. Given that Bluetooth communications are typically not monitored within a corporate environment and its nature as a covert channel of communications, this should be treated seriously.
As such, we would very strongly recommend disabling and minimizing the use of Bluetooth on affected Bluetooth enabled devices until the confirmation of an installed patch. Beyond that, vulnerability releases like BlueBorne serve to illustrate a very important lesson. There are no invulnerable services, no invulnerable protocols and certainly no invulnerable implementations. It is therefore important to assess if services or protocols are essential for use within a given environment. Services and protocols that are unessential should be disabled or removed from a given environment.