Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-BLUEZ-RHEL5.NASL
HistoryMay 11, 2024 - 12:00 a.m.

RHEL 5 : bluez (Unpatched Vulnerability)

2024-05-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1
rhel 5
bluez
vulnerability
unpatched
buffer overflow
information disclosure
remote code execution
dos
cve-2020-27153
cve-2016-7837
cve-2016-9797
cve-2016-9798
cve-2016-9800
cve-2016-9801
cve-2016-9803
cve-2016-9804
cve-2016-9917
cve-2017-1000250
nessus

8.7 High

AI Score

Confidence

High

0.05 Low

EPSS

Percentile

92.9%

JSON

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or RCE (CVE-2020-27153)

  • Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line function used in some userland utilities. (CVE-2016-7837)

  • In BlueZ 5.42, a buffer over-read was observed in l2cap_dump function in tools/parser/l2cap.c source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9797)

  • In BlueZ 5.42, a use-after-free was identified in conf_opt function in tools/parser/l2cap.c source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9798)

  • In BlueZ 5.42, a buffer overflow was observed in pin_code_reply_dump function in tools/parser/hci.c source file. The issue exists because pin array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame pin_code_reply_cp *cp parameter. (CVE-2016-9800)

  • In BlueZ 5.42, a buffer overflow was observed in set_ext_ctrl function in tools/parser/l2cap.c source file when processing corrupted dump file. (CVE-2016-9801)

  • In BlueZ 5.42, an out-of-bounds read was observed in le_meta_ev_dump function in tools/parser/hci.c source file. This issue exists because ‘subevent’ (which is used to read correct element from ‘ev_le_meta_str’ array) is overflowed. (CVE-2016-9803)

  • In BlueZ 5.42, a buffer overflow was observed in commands_dump function in tools/parser/csr.c source file. The issue exists because commands array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame frm->ptr parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. (CVE-2016-9804)

  • In BlueZ 5.42, a buffer overflow was observed in read_n function in tools/hcidump.c source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9917)

  • All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. (CVE-2017-1000250)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory bluez. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196425);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-7837",
    "CVE-2016-9797",
    "CVE-2016-9798",
    "CVE-2016-9800",
    "CVE-2016-9801",
    "CVE-2016-9803",
    "CVE-2016-9804",
    "CVE-2016-9917",
    "CVE-2017-1000250",
    "CVE-2020-27153"
  );

  script_name(english:"RHEL 5 : bluez (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or
    RCE (CVE-2020-27153)

  - Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line
    function used in some userland utilities. (CVE-2016-7837)

  - In BlueZ 5.42, a buffer over-read was observed in l2cap_dump function in tools/parser/l2cap.c source
    file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9797)

  - In BlueZ 5.42, a use-after-free was identified in conf_opt function in tools/parser/l2cap.c source
    file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9798)

  - In BlueZ 5.42, a buffer overflow was observed in pin_code_reply_dump function in tools/parser/hci.c
    source file. The issue exists because pin array is overflowed by supplied parameter due to lack of
    boundary checks on size of the buffer from frame pin_code_reply_cp *cp parameter. (CVE-2016-9800)

  - In BlueZ 5.42, a buffer overflow was observed in set_ext_ctrl function in tools/parser/l2cap.c source
    file when processing corrupted dump file. (CVE-2016-9801)

  - In BlueZ 5.42, an out-of-bounds read was observed in le_meta_ev_dump function in tools/parser/hci.c
    source file. This issue exists because 'subevent' (which is used to read correct element from
    'ev_le_meta_str' array) is overflowed. (CVE-2016-9803)

  - In BlueZ 5.42, a buffer overflow was observed in commands_dump function in tools/parser/csr.c source
    file. The issue exists because commands array is overflowed by supplied parameter due to lack of
    boundary checks on size of the buffer from frame frm->ptr parameter. This issue can be triggered by
    processing a corrupted dump file and will result in hcidump crash. (CVE-2016-9804)

  - In BlueZ 5.42, a buffer overflow was observed in read_n function in tools/hcidump.c source file. This
    issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9917)

  - All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure
    vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process
    memory. This vulnerability lies in the processing of SDP search attribute requests. (CVE-2017-1000250)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27153");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-hcidump");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-utils");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'bluez-gnome', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'bluez-gnome', 'cves':['CVE-2020-27153']},
      {'reference':'bluez-hcidump', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'bluez-hcidump', 'cves':['CVE-2016-9797', 'CVE-2016-9798', 'CVE-2016-9800', 'CVE-2016-9801', 'CVE-2016-9803', 'CVE-2016-9804', 'CVE-2016-9917']},
      {'reference':'bluez-utils', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'bluez-utils', 'cves':['CVE-2016-7837', 'CVE-2017-1000250']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bluez-gnome / bluez-hcidump / bluez-utils');
}
VendorProductVersionCPE
redhatenterprise_linux5cpe:/o:redhat:enterprise_linux:5
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linuxbluezp-cpe:/a:redhat:enterprise_linux:bluez
redhatenterprise_linuxbluez-gnomep-cpe:/a:redhat:enterprise_linux:bluez-gnome
redhatenterprise_linuxbluez-hcidumpp-cpe:/a:redhat:enterprise_linux:bluez-hcidump
redhatenterprise_linuxbluez-utilsp-cpe:/a:redhat:enterprise_linux:bluez-utils

Related

nessus 59
openvas 45
mageia 4
suse 5
cve 8
redhatcve 9
nvd 8
prion 6
debiancve 7
debian 4
oraclelinux 2
osv 8
redhat 2
alpinelinux 2
cvelist 8
veracode 2
slackware 1
ubuntu 1
ibm 1
centos 1
ubuntucve 8
gentoo 1
photon 1
jvn 1
archlinux 1
fedora 2
rocky 1
almalinux 1
nessus
nessus
RHEL 5 : bluez (Unpatched Vulnerability)
2024-06-03 00:00:00
RHEL 6 : bluez (Unpatched Vulnerability)
2024-06-03 00:00:00
SUSE SLES12 Security Update : bluez (SUSE-SU-2019:0510-1) (BlueBorne)
2019-03-01 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:1778-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:0510-1)
2021-04-19 00:00:00
Huawei EulerOS: Security Advisory for bluez (EulerOS-SA-2021-2088)
2021-07-07 00:00:00
mageia
mageia
Updated bluez packages fix security vulnerability
2019-01-30 22:39:18
Updated bluez packages fix security vulnerability
2017-09-21 16:43:32
Updated bluez packages fix security vulnerability
2017-11-19 13:23:35
suse
suse
Security update for bluez (moderate)
2019-05-30 00:00:00
Security update for bluez (moderate)
2018-12-23 00:12:30
Security update for bluez (moderate)
2020-11-09 00:00:00
cve
cve
CVE-2016-9804
2016-12-03 06:59:09
CVE-2016-9801
2016-12-03 06:59:06
CVE-2020-27153
2020-10-15 03:15:12
redhatcve
redhatcve
CVE-2016-9804
2016-12-05 14:48:00
CVE-2020-27153
2020-10-15 14:01:27
CVE-2017-1000250
2017-09-12 13:24:13
nvd
nvd
CVE-2016-9804
2016-12-03 06:59:09
CVE-2016-9917
2016-12-08 08:59:03
CVE-2017-1000250
2017-09-12 17:29:00
prion
prion
Buffer overflow
2016-12-03 06:59:00
Buffer overflow
2016-12-08 08:59:00
Information disclosure
2017-09-12 17:29:00
debiancve
debiancve
CVE-2016-9804
2016-12-03 06:59:09
CVE-2016-9801
2016-12-03 06:59:06
CVE-2020-27153
2020-10-15 03:15:12
debian
debian
[SECURITY] [DLA 1103-1] bluez security update
2017-09-21 21:01:18
[SECURITY] [DSA 3972-1] bluez security update
2017-09-13 11:54:03
[SECURITY] [DSA 3972-1] bluez security update
2017-09-13 11:54:03
oraclelinux
oraclelinux
bluez security update
2017-09-13 00:00:00
bluez security update
2021-05-25 00:00:00
osv
osv
bluez - security update
2017-09-21 00:00:00
CVE-2017-1000250
2017-09-12 17:29:00
bluez - security update
2017-09-13 00:00:00
redhat
redhat
(RHSA-2017:2685) Moderate: bluez security update
2017-09-12 14:08:48
(RHSA-2021:1598) Moderate: bluez security update
2021-05-18 05:37:07
alpinelinux
alpinelinux
CVE-2017-1000250
2017-09-12 17:29:00
CVE-2020-27153
2020-10-15 03:15:12
cvelist
cvelist
CVE-2017-1000250
2017-09-12 17:00:00
CVE-2016-9917
2016-12-08 08:08:00
CVE-2016-9801
2016-12-03 06:28:00
veracode
veracode
Information Disclosure
2019-01-15 09:18:45
Arbitrary Code Execution
2020-10-18 01:47:10
slackware
slackware
[slackware-security] bluez
2017-09-15 20:16:56
ubuntu
ubuntu
BlueZ vulnerability
2017-09-12 00:00:00
ibm
ibm
Security Bulletin: A vulnerability in bluez affects PowerKVM
2018-06-18 01:38:35
centos
centos
bluez security update
2017-09-12 23:15:38
ubuntucve
ubuntucve
CVE-2016-9804
2016-12-03 00:00:00
CVE-2016-7837
2017-06-09 00:00:00
CVE-2020-27153
2020-10-15 00:00:00
gentoo
gentoo
BlueZ: Arbitrary code execution
2020-11-03 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2020-0158
2020-10-31 00:00:00
jvn
jvn
JVN#38755305: BlueZ userland utilities vulnerable to buffer overflow
2016-12-22 00:00:00
archlinux
archlinux
[ASA-201709-3] bluez: information disclosure
2017-09-12 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: bluez-5.46-6.fc26
2017-09-13 22:26:43
[SECURITY] Fedora 27 Update: bluez-5.46-6.fc27
2017-09-30 07:32:32
rocky
rocky
bluez security update
2021-05-18 05:37:07
almalinux
almalinux
Moderate: bluez security update
2021-05-18 05:37:07

8.7 High

AI Score

Confidence

High

0.05 Low

EPSS

Percentile

92.9%

JSON
Related for REDHAT_UNPATCHED-BLUEZ-RHEL5.NASL
nessus59openvas45mageia4suse5cve8redhatcve9nvd8prion6debiancve7debian4oraclelinux2osv8redhat2alpinelinux2cvelist8veracode2slackware1ubuntu1ibm1centos1ubuntucve8gentoo1photon1jvn1archlinux1fedora2rocky1almalinux1