News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Linux : Potential security vulnerabilities in BlueZ

    Home Forums AskWoody support Non-Windows operating systems Linux – all distros Linux : Potential security vulnerabilities in BlueZ

    Viewing 10 reply threads
    • Author
      Posts
      • #2304692
        Alex5723
        AskWoody Plus

        Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.

        Affected Products:
        All Linux kernel versions that support BlueZ.

        1 user thanked author for this post.
      • #2304713
        Paul T
        AskWoody MVP

        For those who don’t know, BlueZ is the Linux Bluetooth stack.

        cheers, Paul

        3 users thanked author for this post.
      • #2304728
        Microfix
        AskWoody MVP

        another article dated the day after the intel warning over on ZDNet

        Intel recommends updating to Linux kernel 5.9 to mitigate a serious flaw Google found in the Linux Bluetooth stack

        From personal experience with linux distro’s, I’m sure Bluez is sometimes tied in with the device sound distro/ developer dependant

        | Quality over Quantity |
        1 user thanked author for this post.
        • #2304824
          Ascaris
          AskWoody MVP

          From personal experience with linux distro’s, I’m sure Bluez is sometimes tied in with the device sound distro/ developer dependant

          That’s because bluetooth devices can act as audio sources or sinks. If you do not make a bluetooth connection, these bits of the audio stack are not used.

          According to the ZDNet article, the attacker needs to be within bluetooth range and to know the bluetooth device address to be able to send specially crafted packets to be able to exploit this. If the radio is off, that can’t happen. IOW, you should be fine if bluetooth is disabled.

          Group "L" (KDE Neon Linux 5.22.3 User Edition)

          3 users thanked author for this post.
          • #2304842
            mn–
            AskWoody Lounger

            The ZDnet article also has a silly line that says,

            BleedingTooth affects Linux kernel versions 5.8 and higher but not Linux 5.9 and higher.

            So yeah, that’s at least somewhat wrong. The Google security folks seem to be a bit more on target, they say it’s from 4.8 onwards.

            The fixes have been backported, Ubuntu has those in “proposed” state apparently right now, looks like 4.15.0-122 and 5.4.0-52 or newer in Ubuntu and derivatives will have the fix.

            5 users thanked author for this post.
      • #2304790
        Alex5723
        AskWoody Plus

        Intel recommends updating to Linux kernel 5.9

        Intel has removed that line replacing it with “All Linux kernel versions that support BlueZ”

        • This reply was modified 9 months, 1 week ago by Alex5723.
        1 user thanked author for this post.
      • #2304797
        DrBonzo
        AskWoody Plus

        As a relative Linux (Mint 19.2) newbie, how does one determine if one’s kernel supports BlueZ?

        2 users thanked author for this post.
        • #2304800
          Microfix
          AskWoody MVP

          check your synaptic package manager, if bluez is listed as installed, the kernel supports it.

          | Quality over Quantity |
          2 users thanked author for this post.
          • #2304809
            DrBonzo
            AskWoody Plus

            Its listed as installed. That’s a lot of vulnerable kernels since I’m running 4.15. But there’s no way I’m going to upgrade to 5.9. 5.9 isn’t even listed in “View Kernels”; the latest listed kernel is 5.4.

            I got a notification the other day that there was a new 4.15 kernel available, but when I read the security descriptions there was no mention of Bluez or Bluetooth. Maybe I’ll just make sure Bluetooth is disabled.

            2 users thanked author for this post.
          • #2304811
            Microfix
            AskWoody MVP

            I’m in the same boat with LM19.3 ‘Tricia’ on kernel 4.15.0.121 that’s supported to April 2023
            I’ve moved back to this kernel to fix ipowersaving issues in 5.4.xxx and got system stability.
            Have disabled blueberry and bluetooth OBEX Agent from startup (as this device has no bluetooth) and that was during installation six weeks ago.

            | Quality over Quantity |
            3 users thanked author for this post.
      • #2304817
        OscarCP
        AskWoody Plus

        I don’t use any Bluetooth devices and have Bluetooth disabled. Do I have to worry about this problem?

        Ex Windows user (Win. 98, XP, 7). Now: running macOS Mojave & sometimes, Linux (Mint)

        2 users thanked author for this post.
        • #2304823
          Microfix
          AskWoody MVP

          OscarCP see #2304822
          nothing to worry about, it’s Friday 🙂

          | Quality over Quantity |
          1 user thanked author for this post.
      • #2304818
        Charlie
        AskWoody Plus

        I don’t have any Bluetooth on the laptop I’m using either, but I checked and my 19.1, 32 bit install has the bluez things listed in the synaptic package manager.  Can I just uninstall/remove these bluez items in synaptic package manager?  I don’t see bluetooth in startup, and it’s already disabled.

        • This reply was modified 9 months, 1 week ago by Charlie.
        • This reply was modified 9 months, 1 week ago by Charlie.
        2 users thanked author for this post.
        • #2304822
          Microfix
          AskWoody MVP

          I wouldn’t remove bluez, even if you don’t use it. (I’ve tried and it flagged up errors whilst testing)
          Just disable blueberry and bluetooth OBEX Agent in
          Control Centre/ startup applications/ then tick the ‘show hidden’ which will reveal these two options.

          Edit: you can also go into Sytem Tools/ System monitor and open up the Processes tab
          there in look for these processes, highlight/right click and kill it, so there is no need to restart.

          | Quality over Quantity |
          4 users thanked author for this post.
      • #2304825
        anonymous
        Guest

        ? says:

        patch will show up anytime now, last one(s) came along at the end of March (Upgraded the following packages:
        bluez (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
        bluez-cups (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
        bluez-obexd (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
        libbluetooth3 (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3)

        meanwhile i’m listening\watching ad free youtube thanks to microfix…

        1 user thanked author for this post.
        • #2304847
          mn–
          AskWoody Lounger

          Its listed as installed. That’s a lot of vulnerable kernels since I’m running 4.15. But there’s no way I’m going to upgrade to 5.9. 5.9 isn’t even listed in “View Kernels”; the latest listed kernel is 5.4.

          This is a kernel-side vulnerability, applications can’t fix it, they can merely disable the trigger condition at most.

          Looks like Ubuntu has fixed versions of 4.15, 5.4 and 5.8 branches in the testing pipe (“proposed”) right now… oh, there’s also at least one for 5.3 too…

          Well, at least they aren’t jumping straight from build to wide release 😉

          3 users thanked author for this post.
      • #2305492
        Microfix
        AskWoody MVP

        the eagle has landed…Linux Mint 19.3 kernel update 4.15.0-122.124

        * CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490
        – Bluetooth: Disable High Speed by default
        – Bluetooth: MGMT: Fix not checking if BT_HS is enabled
        – [Config] Disable BlueZ highspeed support

        * CVE-2020-12351
        – Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel

        * CVE-2020-12352
        – Bluetooth: A2MP: Fix not initializing all members

        extract taken from:
        http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.15.0-122.124/changelog

        | Quality over Quantity |
        1 user thanked author for this post.
      • #2305560
        anonymous
        Guest

        Linux Mint 20 and I just had that kernel update offered(5.4.0-52.57) via Mint’s Update Manager a few hours ago and have just installed that.

        I’ve had the Bluetooth disabled always in Mint on any laptop that has internal Bluetooth radio capability but does Disabling Bluetooth also disable any Bluetooth discovery services as well? I’ve always tried to make sure that everything related to any wireless capabilities are fully disabled on any OS until I enable them. And that includes any WiFi/Bluetooth discovery services as well and no possibilities of any sort of wireless connection via the laptop’s hardware/attached devices.  the Only Wifi device that I’m currently using it a wireless mouse that has it own USB dongle connected and that’s been factory paired.

        I really wish that any OSs would have a Tray Icon that would animate if any sort of networking polling or device discovery was attempted on any wireless device receivers that where attached internally and externally to any PC/Laptop or other device. And that the option for complete radio silence could be had via a try icon if any attempted probing was detected. At home I’m Ethernet only as that’s the way I like it and that’s how I’m online most of the time.

         

        • #2305570
          Ascaris
          AskWoody MVP

          I’ve had the Bluetooth disabled always in Mint on any laptop that has internal Bluetooth radio capability but does Disabling Bluetooth also disable any Bluetooth discovery services as well?

          Assuming everything is working properly, then yes, it would disable the discovery of bluetooth device by the laptop in question.

          I’m always a little bit sketchy on saying that action A that is supposed to cause result B will cause result B, because sometimes things malfunction and don’t behave as they are meant to. There’s no special reason to think that’s the case here, only that I feel compelled to allow for that possibility.

          I just received the update to kernel 5.4.0-52.57 in Neon as well.

          Group "L" (KDE Neon Linux 5.22.3 User Edition)

          1 user thanked author for this post.
      • #2305701
        anonymous
        Guest

        ? says:

        4.15.0.122 and 5.4.0.52 came down the chute for 18.04lts and 20.04lts ((linux-image-5.4.0-52-generic (5.4.0-52.57)) with the bluez security modifcations. still waiting on 16.04lts to arrive shortly…

    Viewing 10 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Linux : Potential security vulnerabilities in BlueZ

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.