Red Hat is responding to three flaws (CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490) in the Linux kernel. Two of those CVEs, CVE-2020-12351 and CVE-2020-12352, impact Red Hat Enterprise Linux. These flaws allow a remote attacker within Bluetooth range to perform a system crash, execute arbitrary code, or leak small portions of stack memory from the system. Red Hat customers using affected versions are recommended to apply mitigations and updates when available. Red Hat also recommends updating to the most recent images and latest versions of container host systems.
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 7
Red Hat is also aware of a third vulnerability, CVE-2020-24490, which does not impact any of our released products.
To determine if your system is currently vulnerable to these flaws, see the Diagnose section below. Additionally, an Ansible playbook for automatic remediation is provided below.
These issues affect Red Hat Enterprise Linux 7 and 8 in their default configurations when Bluetooth hardware is present and Bluetooth functionality is enabled on the system. An unauthenticated attacker in range to communicate over Bluetooth and with the knowledge of the system’s MAC (Media Access Control) address can exploit these flaws to execute arbitrary code with kernel privileges on the system as demonstrated by the researcher.
For Red Hat Atomic Host or Red Hat OpenShift Container Platform deployments, both virtual and physical hosts in a production environment should not have Bluetooth hardware present or enabled.
To mitigate these vulnerabilities on the operating system level, disable the Bluetooth functionality via blocklisting kernel modules in the Linux kernel. The kernel modules can be prevented from being loaded by using system-wide modprobe rules. Instructions on how to disable Bluetooth modules are available on the Customer Portal.
Alternatively, Bluetooth can be disabled within the hardware or at BIOS level which will also provide an effective mitigation as the kernel will not be able to detect that Bluetooth hardware is present on the system.
Red Hat recommends all customers to update to new kernel packages as they become available.
A flaw was found in the way the Linux kernel’s Bluetooth implementation handled L2CAP (Logical Link Control and Adaptation Protocol) packets with A2MP (Alternate MAC-PHY Manager Protocol) CID (Channel Identifier). A remote attacker in an adjacent range could use this flaw to crash the system causing denial of service or potentially execute arbitrary code on the system by sending a specially crafted L2CAP packet.
An information leak flaw was found in the way Linux kernel’s Bluetooth stack implementation handled initialization of stack memory when handling certain AMP (Alternate MAC-PHY Manager Protocol) packets. A remote attacker in an adjacent range could use this flaw to leak small portions of stack memory on the system by sending specially crafted AMP packets.
A heap buffer overflow flaw was found in the way the Linux kernel’s Bluetooth implementation processed extended advertising report events. A remote attacker in an adjacent range could use this flaw to crash the system causing denial of service or potentially execute arbitrary code on the system by sending a specially crafted Bluetooth packet.
This issue is rated as having Moderate impact because the system needs to be actively scanning while the attacker is sending the advertisements in order to be exploited.
This issue does not impact any of Red Hat released products.
Affected Red Hat products by CVE
|Red Hat Enterprise Linux 8||Affected - will fix all active streams||Affected - will fix all active streams||Not affected|
|Red Hat Enterprise Linux 7||Affected will fix all active streams|
except for Red Hat Enterprise Linux 7.2 and 7.3 which are not affected
|Affected - will fix all active streams||Not affected|
Updates for affected products
Customers running affected versions of these Red Hat products are strongly recommended to apply mitigations and updates when available.
|Red Hat Enterprise Linux 8||kernel||RHSA-2020:4286|
|Red Hat Enterprise Linux 8||kernel-rt||RHSA-2020:4289|
|Red Hat Enterprise Linux 8.1.0 Extended Update Support||kernel||RHSA-2020:4287|
|Red Hat Enterprise Linux 8.0.0 Update Services for SAP Solutions 4||kernel||RHSA-2020:4288|
|Red Hat Enterprise Linux 7||kernel||RHSA-2020:4276|
|Red Hat Enterprise Linux 7||kernel-rt||RHSA-2020:4280|
|Red Hat Enterprise Linux 7.7 Extended Update Support 2||kernel||RHSA-2020:4277|
|Red Hat Enterprise Linux 7.6 Extended Update Support 2||kernel||RHSA-2020:4281|
|Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Advanced Update Support 3,4||kernel||RHSA-2020:4278|
|Red Hat Enterprise Linux 7.3 Advanced Update Support 3,5||kernel||Update pending 1|
|Red Hat Enterprise Linux 7.2 Advanced Update Support 3,5||kernel||Update pending 1|
1 Advisory/Update link will be added once updates are live.
2 What is the Red Hat Enterprise Linux Extended Update Support (EUS) Subscription?
3 What is Advanced mission critical Update Support (AUS)?
4 What is the Red Hat Enterprise Linux SAP Solutions subscription?
5 This product is only affected by CVE-2020-12352
A vulnerability detection script has been developed to determine if your system is currently vulnerable to this flaw. To verify the authenticity of the script, you can download the detached GPG signature as well. Instructions on how to use GPG signature for verification are available on the Customer Portal.
Additionally, an Ansible playbook, is provided below. This playbook will disable the Bluetooth kernel modules in the Linux kernel. To use the playbook, specify the hosts you'd like to update with the HOSTS extra var:
ansible-playbook -e HOSTS=web,ns1,mail cve-2020-12351_blacklist_mitigate--2020-10-15-2223.yml
Q: How can I check if my system has Bluetooth enabled?
A: We have provided Ansible playbook and detection scripts which can be used to detect if your system(s) have Bluetooth enabled. An alternative is using the lsmod command to confirm if the kernel has detected Bluetooth hardware and enabled the modules. Example output, searching for the presence of either bnep, btusb, or bluetooth kernel modules loaded is:
$ lsmod | egrep 'bnep|bluetooth|btusb'
bnep 23721 2
btusb 41449 0
btrtl 12945 1 btusb
btbcm 14040 1 btusb
btintel 15709 1 btusb
bluetooth 548688 49 bnep,btbcm,btrtl,btusb,rfcomm,btintel
rfkill 22391 8 cfg80211,thinkpad_acpi,bluetooth
Q: Do I need to reboot after applying mitigations?
A: Reboot is not required if you are able to remove the Bluetooth kernel modules from the running system. For more information refer to How to disable Bluetooth modules instructions that are available on the Customer Portal.
Q: How are containers impacted?
A: Bluetooth should not be enabled on container host environments. While this issue does not directly impact Red Hat Enterprise Linux-based containers, their security relies upon the integrity of the host kernel environment. Red Hat recommends updating to the most recent images and latest version of container host-systems. To protect the integrity of the containers in use, customers will need to apply and deploy the updates to the container host (such as Red Hat Enterprise Linux or Atomic Host).
Red Hat thanks Intel and Andy Nguyen (Google) for reporting this vulnerability. Red Hat also thanks Industry Partners and the Linux community for their collaboration on this issue.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.