Posts

VULNERABILITY: New Bluetooth Hack Affects Millions of Devices from Major Vendors

A bluetooth vulnerability tracked as CVE-2018-5383 has been found affecting bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange. The vulnerability affects firmwares or operating system software drivers from major vendors like Apple, Broadcom, Intel and Qualcomm while the implication of the bug on Google, Android and Linux are still unknown. Microsoft products are not vulnerable.

The vulnerability is related to two Bluetooth features – BR/EDR implementations of Secure Simple Pairing in device firmware and Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software.

Apple and Intel have already released patches for this security vulnerability while Broadcom chip makers claims to have already made fixes available to its OEM customers who are now responsible for providing them to the end-users for products supporting Bluetooth 2.1 or newer technology and Qualcomm has not released any statement regarding the vulnerability.

“Currently there are no evidence of the bug being exploited maliciously and it is not aware of any devices implementing the attack being developed, including the researchers who identified the vulnerability” – Mentioned by Bluetooth SIG. It should also be noted that in order to carry out an attack, the attacker would have to be in range of both of the targeted devices during the pairing process and both devices would need to be vulnerable to the attack.

Proficio Threat Intelligence Recommendations:

  • Check with Device Vendor for availability of updates for software and firmware updates
  • Ensure that the all software and firmware are updated to the latest version

General Information – Click Here

Proficio Observes New Bluetooth Vulnerabilities

Proficio has observed several open sources of intelligence that have detailed the release of multiple critical vulnerabilities for Bluetooth and an attack vector utilizing those vulnerabilities known as “BlueBorne.” Here are the details we have gathered so far.

BlueBorne Summary

Multiple news outlets have reported the discovery of several important vulnerabilities in both the design and implementation of the Bluetooth communication protocol. These vulnerabilities are notable for both their unusual reach and effectiveness since, according to sources, unpatched devices can be compromised by attacking devices within 32 feet, with the only requirements being that the Bluetooth must be turned on. The vulnerabilities are further magnified by Bluetooth being the leading and most widely utilized protocol for short-range connectivity and communications. These vulnerabilities can be utilized by attackers to run malicious codes on vulnerable devices as well as perform Man-in-the-Middle (MITM) attacks. More information can be found here.

Technical Details

There are eight fully operational and exploitable vulnerabilities identified and released at this time.

1. Linux kernel RCE vulnerability – CVE-2017-1000251

This vulnerability allows an attacker to perform a buffer overflow attack on a 64-byte buffer on the kernel stack by an unlimited amount of data. While stack overflow attacks does not automatically translate into code execution due to the presence of mitigation techniques on modern operating systems, most devices running Linux today lack such mitigation techniques like stack canaries and Kernel Address Space Layout Randomization.

2. Linux Bluetooth stack (BlueZ) information Leak vulnerability – CVE-2017-1000250

This vulnerability is due to a mistake in the implementation of fragmentation mechanisms within Bluetooth’s Service Discovery Protocol (SDP) on Linux systems. The vulnerability allows an attacker to perform an out of bounds read from the response buffer sent from an SDP server. BlueZ comprises two parts, one running in the kernel and the other in the user space within the Bluetooth process. Some examples of the critical data that can be leaked include encryption keys used in Bluetooth communications.

3. Android information Leak vulnerability – CVE-2017-0785

This vulnerability is due to a mistake in the implementation of fragmentation mechanisms within Bluetooth’s Service Discovery Protocol (SDP) on Android systems. As with the vulnerability described above, this allows an attacker to effectively perform an out of bound read from the response buffer sent from an SDP server. Some of the data that can then be leaked include encryption keys, address spaces and pointers

4. Android RCE vulnerability #1 – CVE-2017-0781

This is the first of two vulnerabilities found in the code flow handling incoming Bluetooth Network Encapsulation Protocol control messages. This vulnerability allows an attacker to use an arbitrarily sized packet to overflow 8 bytes on the heap following a buffer of any chosen size.

This is made easier as the Bluetooth service in Android is immediately and automatically restarted by the Android Service Manager when it crashes.

5. Android RCE vulnerability #2 – CVE-2017-0782

This is the second of two vulnerabilities found in the code flow handling incoming Bluetooth Network Encapsulation Protocol control messages. This vulnerability allows an attacker to create a heap spray and cause remote code execution if the heap is groomed prior to the overflow.

This is made easier as the Bluetooth service in Android is immediately and automatically restarted by the Android Service Manager when it crashes.

6 & 7. The Bluetooth Pineapple in Android – Logical Flaw CVE-2017-0783 and the Bluetooth Pineapple in Windows – Logical Flaw CVE-2017-8628

The Security Management Protocol within Bluetooth allows for the bypass of authentication and short-term pairing with an Android or Windows devices. This allows an attacker to obtain access to higher level services and profiles such as PAN. Due to the low security level requirement, an attacker can leverage the capabilities of the PAN profile without any authorization to force the victim device to treat the attacker as a new network interface, forcing a DHCP request from the victim. This allows an attacker to perform a MITM attack much like the WiFi Pineapple without any user interaction required.

8. Apple Low Energy Audio Protocol RCE vulnerability – CVE-2017-14315

This vulnerability was identified within a protocol created by Apple operating on top of Bluetooth, known as Low Energy Audio Protocol (LEAP). Insufficient validation allows an attacker to achieve a heap overflow. As this can be triggered multiple times, code execution can be achieved. Again, an attack on this vulnerability does not require any user interaction.

Current Protection Provided by Security Vendors

As is common with such releases, patches are typically made available prior to the release of information. ProSOC notes the following vendors have verified patches:

Microsoft:

All identified vulnerabilities in BlueBorne has been addressed and patched in this month’s security advisory
https://support.microsoft.com/en-us/help/20170912/security-update-deployment-information-september-12-2017
https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Google (Android):

Google has provided device manufacturers with a patch last month, and the patches were made available for users of Google branded phones.
https://source.android.com/security/bulletin/2017-09-01

Apple:

Only Apple’s iOS prior to version 10 are vulnerable. The vulnerability was already mitigated by Apple in iOS 10.

Recommendations and Summary

While it is unlikely that mission-critical systems are Bluetooth enabled, the vulnerabilities and exploits tied to those vulnerabilities require no user or victim interactions and are therefore worm-able. This means that such vulnerabilities can be exploited much like WannaCry with ShadowBroker’s exploits. Given that Bluetooth communications are typically not monitored within a corporate environment and its nature as a covert channel of communications, this should be treated seriously.

As such, we would very strongly recommend disabling and minimizing the use of Bluetooth on affected Bluetooth enabled devices until the confirmation of an installed patch. Beyond that, vulnerability releases like BlueBorne serve to illustrate a very important lesson. There are no invulnerable services, no invulnerable protocols and certainly no invulnerable implementations. It is therefore important to assess if services or protocols are essential for use within a given environment. Services and protocols that are unessential should be disabled or removed from a given environment.