Linux kernel Bluetooth support fails to properly bounds check "protocol" variable

Overview

Linux kernels with Bluetooth support do not adequately validate the “protocol” value, allowing a local user to execute arbitrary code with elevated privileges.

Description

Linux kernels with Bluetooth support may contain a local root vulnerability, even if Bluetooth hardware is not present. A call to socket() may bypass a bounds check on the protocol value. This value is used at a later point as an index to a function pointer, making it possible for an attacker to execute arbitrary code from memory regions controlled by the attacker.

The flawed Bluetooth kernel modules are present by default on some Linux distributions and are frequently loadable by unprivileged users.

---

Impact

An unprivileged, local, authenticated user may be able to gain elevated privileges, even on systems without Bluetooth drivers previously loaded or on systems without Bluetooth hardware installed.

---

Solution

Apply An Update
This issue is addressed in Linux kernels 2.4.30-rc2 and 2.6.11.6.

---

Disable Bluetooth Support

As a workaround, administrators may remove the bluetooth kernel module(s) from their system.

Install Kernel Modules

Suresec Ltd. has also created loadable kernel modules which check protocol and domain values for validity before being used in the flawed Bluetooth code. More information is available in Suresec security advisory 1.

---

Vendor Information

685461

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Linux Kernel Archives __ Affected

Updated: April 05, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in Linux kernels 2.4.30-rc2 and 2.6.11.6.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Red Hat, Inc. __ Affected

Notified: April 05, 2005 Updated: December 22, 2005

Status

Affected

Vendor Statement

`This issue could affect Red Hat Enterprise Linux 2.1, 3, and 4 users where the
bluetooth modules are loaded. Updated kernel packages are available at the URL
below and by using the Red Hat Network ‘up2date’ tool.

<http://rhn.redhat.com/errata/CAN-2005-0750.html&gt;`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian Linux __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Engarde __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Hewlett-Packard Company __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

IBM eServer __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

IBM zSeries __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Immunix __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Ingrian Networks, Inc. __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Mandriva, Inc. __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Mandriva, Inc. __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

MontaVista Software, Inc. __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Novell, Inc. __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Openwall GNU/*/Linux __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

SUSE Linux __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

SUSE/Novell has released fixed packages to fix this problem, documented in this security advisory:

<http://www.novell.com/linux/security/advisories/2005_21_kernel.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Sequent Computer Systems, Inc. __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

Sun Microsystems, Inc. __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

The SCO Group (SCO Linux) __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

TurboLinux __ Unknown

Notified: April 05, 2005 Updated: April 08, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23685461 Feedback>).

View all 19 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://secunia.com/advisories/14713/&gt;
• <http://www.suresec.org/advisories/adv1.pdf&gt;

Acknowledgements

Thanks to Suresec Ltd for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs:	CVE-2005-0750
Severity Metric:	8.78 Date Public: