CVE-2020-12351/12352/24490: Linux Bluetooth Protocol Remote Code Execution Vulnerability Alert
Intel addressed the security issue in a Tuesday advisory, recommending that users update the Linux kernel to version 5.9 or later.
Vulnerability Detail
CVEID: CVE-2020-12351
Description: Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
CVSS Base Score: 8.3 High
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2020-12352
Description: Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVEID: CVE-2020-24490
Description: Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected version
All Linux kernel versions that support BlueZ. Some commonly affected Linux distributions include:
- Red Hat Enterprise Linux 7/8
- Ubuntu 20.04 LTS
- Debian 9/10/11
Solution
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
