Zero-Click Kernel Bug in Linux-Based IoT Devices
There is a high-severity flaw in BlueZ, the Linux Bluetooth protocol stack that provides support for Bluetooth protocols in Linux-based internet of things (IoT) devices. According to Google, the vulnerability affects Linux kernel versions older than 5.9 that support BlueZ. BlueZ is an open-source project distributed under GNU General Public License which features the BlueZ kernel that has been part of the official Linux kernel since version 2.4.6.
Google is calling the flaw BleedingTooth. BleedingTooth can be exploited in a zero-click attack via specially crafted input, by a local, unauthenticated hacker. This could allow for escalated privileges on affected devices. A remote hacker within a short distance can send a malicious, Logical Link Control and Adaptation Layer Protocol packet and cause denial of service or arbitrary code execution with kernel privileges. According to Google, malicious Bluetooth chips can also trigger the vulnerability.
The flaw stems from a heap-based type confusion in l2cap_core.c. A type-confusion vulnerability is a bug that can lead to out-of-bounds memory access and can lead to code execution or crashes that a hacker can exploit. In this case, the issue is that there is insufficient validation within the BlueZ implementation in the affected Linux kernels.
Intel issued a fix for two medium-severity flaws that affect BlueZ, both of which stem from improper access control. One of the flaws fixed could have enabled an unauthenticated user to steal sensitive information via adjacent access. The other flaw that was patched could have allowed an unauthenticated user to enable a denial of service via adjacent access. Users that utilize Linux OS for their servers and workstations should download and patch up their Linux kernels.