BleedingTooth - Kernel Bluetooth vulnerabilities - CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490

Public Date:
Updated -
Status
Ongoing
Impact
Important

Insights vulnerability analysis

View exposed systems

Executive summary

Red Hat is responding to three flaws (CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490) in the Linux kernel. Two of those CVEs, CVE-2020-12351 and CVE-2020-12352, impact Red Hat Enterprise Linux. These flaws allow a remote attacker within Bluetooth range to perform a system crash, execute arbitrary code, or leak small portions of stack memory from the system. Red Hat customers using affected versions are recommended to apply mitigations and updates when available. Red Hat also recommends updating to the most recent images and latest versions of container host systems.

The first issue has been assigned CVE-2020-12351 and rated with a severity impact of Important.

The second issue has been assigned CVE-2020-12352 and rated with a severity impact of Moderate.

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7

Red Hat is also aware of a third vulnerability, CVE-2020-24490, which does not impact any of our released products.
To determine if your system is currently vulnerable to these flaws, see the Diagnose section below. Additionally, an Ansible playbook for automatic remediation is provided below.

Technical summary

These issues affect Red Hat Enterprise Linux 7 and 8 in their default configurations when Bluetooth hardware is present and Bluetooth functionality is enabled on the system. An unauthenticated attacker in range to communicate over Bluetooth and with the knowledge of the system’s MAC (Media Access Control) address can exploit these flaws to execute arbitrary code with kernel privileges on the system as demonstrated by the researcher.

For Red Hat Atomic Host or Red Hat OpenShift Container Platform deployments, both virtual and physical hosts in a production environment should not have Bluetooth hardware present or enabled.

Mitigation

To mitigate these vulnerabilities on the operating system level, disable the Bluetooth functionality via blocklisting kernel modules in the Linux kernel. The kernel modules can be prevented from being loaded by using system-wide modprobe rules. Instructions on how to disable Bluetooth modules are available on the Customer Portal.

Alternatively, Bluetooth can be disabled within the hardware or at BIOS level which will also provide an effective mitigation as the kernel will not be able to detect that Bluetooth hardware is present on the system.

Remediation

Red Hat recommends all customers to update to new kernel packages as they become available.

Technical details

CVE-2020-12351

A flaw was found in the way the Linux kernel’s Bluetooth implementation handled L2CAP (Logical Link Control and Adaptation Protocol) packets with A2MP (Alternate MAC-PHY Manager Protocol) CID (Channel Identifier). A remote attacker in an adjacent range could use this flaw to crash the system causing denial of service or potentially execute arbitrary code on the system by sending a specially crafted L2CAP packet.

CVE-2020-12352

An information leak flaw was found in the way Linux kernel’s Bluetooth stack implementation handled initialization of stack memory when handling certain AMP (Alternate MAC-PHY Manager Protocol) packets. A remote attacker in an adjacent range could use this flaw to leak small portions of stack memory on the system by sending specially crafted AMP packets.

CVE-2020-24490

A heap buffer overflow flaw was found in the way the Linux kernel’s Bluetooth implementation processed extended advertising report events. A remote attacker in an adjacent range could use this flaw to crash the system causing denial of service or potentially execute arbitrary code on the system by sending a specially crafted Bluetooth packet.
This issue is rated as having Moderate impact because the system needs to be actively scanning while the attacker is sending the advertisements in order to be exploited.

This issue does not impact any of Red Hat released products.

Product impact

Affected Red Hat products by CVE

Product

CVE-2020-12351
Important

CVE-2020-12352
Moderate

CVE-2020-24490
Moderate

Red Hat Enterprise Linux 8Affected - will fix all active streamsAffected - will fix all active streamsNot affected
Red Hat Enterprise Linux 7Affected  will fix all active streams
except for Red Hat Enterprise Linux 7.2 and 7.3 which are not affected
Affected - will fix all active streamsNot affected


Updates for affected products

Customers running affected versions of these Red Hat products are strongly recommended to apply mitigations and updates when available.

ProductPackageAdvisory/Update
Red Hat Enterprise Linux 8kernelRHSA-2020:4286
Red Hat Enterprise Linux 8kernel-rtRHSA-2020:4289
Red Hat Enterprise Linux 8.1.0 Extended Update SupportkernelRHSA-2020:4287
Red Hat Enterprise Linux 8.0.0 Update Services for SAP Solutions 4kernelRHSA-2020:4288
Red Hat Enterprise Linux 7kernelRHSA-2020:4276
Red Hat Enterprise Linux 7kernel-rtRHSA-2020:4280
Red Hat Enterprise Linux 7.7 Extended Update Support 2kernelRHSA-2020:4277
Red Hat Enterprise Linux 7.6 Extended Update Support 2kernelRHSA-2020:4281
Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Advanced Update Support 3,4kernelRHSA-2020:4278
Red Hat Enterprise Linux 7.3 Advanced Update Support 3,5kernelUpdate pending 1
Red Hat Enterprise Linux 7.2 Advanced Update Support 3,5kernelUpdate pending 1




1  Advisory/Update link will be added once updates are live.
2 What is the Red Hat Enterprise Linux Extended Update Support (EUS) Subscription?
3 What is Advanced mission critical Update Support (AUS)?
4 What is the Red Hat Enterprise Linux SAP Solutions subscription?
5 This product is only affected by CVE-2020-12352

Diagnose

A vulnerability detection script has been developed to determine if your system is currently vulnerable to this flaw. To verify the authenticity of the script, you can download the detached GPG signature as well. Instructions on how to use GPG signature for verification are available on the Customer Portal.

Determine if your system is vulnerable

Current version: 1.0

Ansible Playbook

Additionally, an Ansible playbook, is provided below. This playbook will disable the Bluetooth kernel modules in the Linux kernel. To use the playbook, specify the hosts you'd like to update with the HOSTS extra var:

ansible-playbook -e HOSTS=web,ns1,mail cve-2020-12351_blacklist_mitigate--2020-10-15-2223.yml

To verify the authenticity of the script, you can download the detached GPG signature as well. Instructions on how to use GPG signature for verification are available on the Customer Portal.

Automate the mitigation

Current version: 1.0


FAQ

Q: How can I check if my system has Bluetooth enabled?
A: We have provided Ansible playbook and detection scripts which can be used to detect if your system(s) have Bluetooth enabled. An alternative is using the lsmod command to confirm if the kernel has detected Bluetooth hardware and enabled the modules. Example output, searching for the presence of either bnep, btusb, or bluetooth kernel modules loaded is:

   $ lsmod | egrep 'bnep|bluetooth|btusb'
   bnep                   23721  2
   btusb                  41449  0
   btrtl                  12945  1 btusb
   btbcm                  14040  1 btusb
   btintel                15709  1 btusb
   bluetooth             548688  49 bnep,btbcm,btrtl,btusb,rfcomm,btintel
   rfkill                 22391  8 cfg80211,thinkpad_acpi,bluetooth
   $

Q: Do I need to reboot after applying mitigations?
A: Reboot is not required if you are able to remove the Bluetooth kernel modules from the running system. For more information refer to How to disable Bluetooth modules instructions that are available on the Customer Portal.

Q: How are containers impacted?
A: Bluetooth should not be enabled on container host environments. While this issue does not directly impact Red Hat Enterprise Linux-based containers, their security relies upon the integrity of the host kernel environment. Red Hat recommends updating to the most recent images and latest version of container host-systems. To protect the integrity of the containers in use, customers will need to apply and deploy the updates to the container host (such as Red Hat Enterprise Linux or Atomic Host).

Acknowledgements

Red Hat thanks Intel and Andy Nguyen (Google) for reporting this vulnerability. Red Hat also thanks Industry Partners and the Linux community for their collaboration on this issue.

References

How to use GPG to verify signed content from Product Security
How to disable Bluetooth modules

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In