PenTestIT RSS Feed
No matter what part of the world you live in, I'm sure that you must have at least heard about the latest Bluetooth attack making rounds - BlueBorne. I'm also sure that if you have a vulnerable device and you have some time until your vendor releases a patch remediating this vulnerability. If this is the case, then this post is for you as this post discusses the different ways which you can perform to try and avoid being exploited with the BlueBorne Bluetooth vulnerability.
What is BlueBorne?
BlueBorne is a new, unauthenticated, set of vulnerabilities targetting multiple operating systems such as Android, iOS, Windows, and Linux, and the devices that have these operating systems installed. The name is concocted on the word ‘airborne’ as it allows unauthenticated attackers to take over devices on air-gapped networks. Additionally, this set of attacks do not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. More information about these set of vulnerabilities can be found here.
Vulnerabilities that make up BlueBorne:
- CVE-2017-0781: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level
Due to a faulty implementation of the Bluetooth Network Encapsulation Protocol (BNEP) service, a heap overflow occurs when an incorrect buffer size passed to a memcpy call. This condition allows you to execute arbitrary code and the vulnerability does not require any user interaction, authentication or pairing.
- CVE-2017-0782: Remote code execution vulnerability affecting Android devices prior to September 9, 2017 Security Patch level
A integer underflow condition exists while processing packets by the
bnep_process_control_packet(). This memory corruption can be triggered in the Personal Area Networking (PAN) profile of BNEP service and allows you to execute arbitrary. The vulnerability does not require any user interaction, authentication or pairing.
- CVE-2017-0783: A vulnerability in the PAN profile of the Bluetooth stack enables the attacker to create a network interface on the victim’s device and transmit all communication over this network interface aka man-in-the-middle. This affects all Android devices prior to September 9, 2017 Security Patch level.
- CVE-2017-0785: SDP (Service Discovery Protocol) server, enables a device to identify other Bluetooth services in its range. An attacker can send crafted request packets to the target, this causes it to disclose memory bits in response packets.
- CVE-2017-8628: Similar to CVE-2017-0783, this affects all versions of Microsoft Windows from Windows Vista to Windows 10.
- CVE-2017-1000250: Information leak vulnerability in the BlueZ implementation for Linux. The SDP server discloses memory bit in response packets when it receives a special crafted packet from an attacker.
- CVE-2017-1000251: A memory corruption exists because of a stack overflow vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol), again in BlueZ for Linux.
- CVE-2017-14315: Remote code execution via Apple’s Low Energy Audio Protocol (LEAP) affecting Apple iOS versions 9.3.5 and lower, and AppleTV tvOS versions 7.2.2 and lower
An overly large audio command sent to a targeted device causes a heap overflow due to improper validation of the received command.
With this theory about BlueBorne out of the way, let's get to the crux of this post.
How to protect systems from BlueBorne attacks?
- Microsoft Windows: Apply patches listed in the September 2017 advisory - CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability
- If you are not able to do so, you can deactivate the Bluetooth module itself. The best way to protect your Windows systems from BlueBorne attacks is by disabling the Bluetooth device from the Device Manager.
- Android: If you are lucky enough you will have a supported phone which can get OTAs from your provider and upgrade to the latest September 9, 2017 Security Patch Level. If not, you always have an option of sideloading an OTA. Unfortunately, this patch will be available only for Nougat (7.0), Marshmallow (6.0). You also have an option of getting on a custom ROM such as LineageOS.
- Apple: Upgrade to iOS version 10 and Apple TV versions above 7.2.2.R
- *NIX: This is a bit tricky as some vendors have already released a patch and some have not. For example, RHEL and Debian CVE-2017-1000250 and CVE-2017-1000251 are already available. However, if you still want to disable Bluetooth, this is how:
sudo mv /etc/init/bluetooth.conf /etc/init/bluetooth.conf.disabled
#Disable and stop the Bluetooth service
systemctl disable bluetooth.service
systemctl mask bluetooth.service
systemctl stop bluetooth.service
#Remove Bluetooth modules
You can even follow the RHEL SCAP Security Guide here.
5. Armis Labs have also released an Android App “BlueBorne Vulnerability Scanner” to detect devices that are vulnerable to BlueBorne.
The post How to: Protect Systems From BlueBorne Attacks? appeared first on PenTestIT.