Google and Intel Warn of High-Severity Bluetooth Security Bug In Linux
An anonymous reader quotes a report from Ars Technica: Google and Intel are warning of a high-severity Bluetooth flaw in all but the most recent version of the Linux Kernel. While a Google researcher said the bug allows seamless code execution by attackers within Bluetooth range, Intel is characterizing the flaw as providing an escalation of privileges or the disclosure of information. The flaw resides in BlueZ, the software stack that by default implements all Bluetooth core protocols and layers for Linux. Besides Linux laptops, it's used in many consumer or industrial Internet-of-things devices. It works with Linux versions 2.4.6 and later. So far, little is known about BleedingTooth, the name given by Google engineer Andy Nguyen, who said that a blog post will be published "soon." A Twitter thread and a YouTube video provide the most detail and give the impression that the bug provides a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices that use BlueZ for Bluetooth. Intel, meanwhile, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information-disclosure vulnerability. The advisory assigned a severity score of 8.3 out of a possible 10 to CVE-2020-12351, one of three distinct bugs that comprise BleedingTooth. "Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure," the advisory states. "BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities." Intel, which is a primary contributor to the BlueZ open source project, said that the most effective way to patch the vulnerabilities is to update to Linux kernel version 5.9, which was published on Sunday. Those who can't upgrade to version 5.9 can install a series of kernel patches the advisory links to. Maintainers of BlueZ didn't immediately respond to emails asking for additional details about this vulnerability. Ars Technica points out that since BleedingTooth requires proximity to a vulnerable device, there's not much reason for people to worry about this vulnerability. "It also requires highly specialized knowledge and works on only a tiny fraction of the world's Bluetooth devices," it adds.
from Slashdot https://ift.tt/3k0EeKo
Read more of this story at Slashdot.
from Slashdot https://ift.tt/3k0EeKo
Related Posts :
Peter Thiel Claims Zuckerberg Agreed To Push 'State-Sanctioned Conservatism' Under Trump Deal- Twitter To Pay $809.5 Million To Settle 2016 Lawsuit Over Growth Projections
- Facebook Warned Over 'Very Small' Indicator LED On Smart Glasses
- Linux Foundation Survey Shows Companies Desperate To Hire Open-Source Talent
- Kids 5-11 Appear Safely Protected By Small Doses of COVID Vaccine, Pfizer Says
0 Response to "Google and Intel Warn of High-Severity Bluetooth Security Bug In Linux"
Post a Comment