News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Linux : Potential security vulnerabilities in BlueZ

    Posted on Alex5723 Comment on the AskWoody Lounge

    Home Forums AskWoody support Non-Windows operating systems Linux – all distros Linux : Potential security vulnerabilities in BlueZ

    Viewing 10 reply threads
    • Author
      Posts
      • #2304692 Reply
        Alex5723
        AskWoody Plus

        Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.

        Affected Products:
        All Linux kernel versions that support BlueZ.

        1 user thanked author for this post.
      • #2304713 Reply
        Paul T
        AskWoody MVP

        For those who don’t know, BlueZ is the Linux Bluetooth stack.

        cheers, Paul

        3 users thanked author for this post.
      • #2304728 Reply
        Microfix
        AskWoody MVP

        another article dated the day after the intel warning over on ZDNet

        Intel recommends updating to Linux kernel 5.9 to mitigate a serious flaw Google found in the Linux Bluetooth stack

        From personal experience with linux distro’s, I’m sure Bluez is sometimes tied in with the device sound distro/ developer dependant

        Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
        1 user thanked author for this post.
        • #2304824 Reply
          Ascaris
          AskWoody_MVP

          From personal experience with linux distro’s, I’m sure Bluez is sometimes tied in with the device sound distro/ developer dependant

          That’s because bluetooth devices can act as audio sources or sinks. If you do not make a bluetooth connection, these bits of the audio stack are not used.

          According to the ZDNet article, the attacker needs to be within bluetooth range and to know the bluetooth device address to be able to send specially crafted packets to be able to exploit this. If the radio is off, that can’t happen. IOW, you should be fine if bluetooth is disabled.

          Group "L" (KDE Neon Linux 5.20.1 User Edition, Ubuntu 20.04 base).

          3 users thanked author for this post.
          • #2304842 Reply
            mn–
            AskWoody Lounger

            The ZDnet article also has a silly line that says,

            BleedingTooth affects Linux kernel versions 5.8 and higher but not Linux 5.9 and higher.

            So yeah, that’s at least somewhat wrong. The Google security folks seem to be a bit more on target, they say it’s from 4.8 onwards.

            The fixes have been backported, Ubuntu has those in “proposed” state apparently right now, looks like 4.15.0-122 and 5.4.0-52 or newer in Ubuntu and derivatives will have the fix.

            5 users thanked author for this post.
      • #2304790 Reply
        Alex5723
        AskWoody Plus

        Intel recommends updating to Linux kernel 5.9

        Intel has removed that line replacing it with “All Linux kernel versions that support BlueZ”

        • This reply was modified 1 week, 4 days ago by Alex5723.
        1 user thanked author for this post.
      • #2304797 Reply
        DrBonzo
        AskWoody Plus

        As a relative Linux (Mint 19.2) newbie, how does one determine if one’s kernel supports BlueZ?

        2 users thanked author for this post.
        • #2304800 Reply
          Microfix
          AskWoody MVP

          check your synaptic package manager, if bluez is listed as installed, the kernel supports it.

          Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
          2 users thanked author for this post.
          • #2304809 Reply
            DrBonzo
            AskWoody Plus

            Its listed as installed. That’s a lot of vulnerable kernels since I’m running 4.15. But there’s no way I’m going to upgrade to 5.9. 5.9 isn’t even listed in “View Kernels”; the latest listed kernel is 5.4.

            I got a notification the other day that there was a new 4.15 kernel available, but when I read the security descriptions there was no mention of Bluez or Bluetooth. Maybe I’ll just make sure Bluetooth is disabled.

            2 users thanked author for this post.
          • #2304811 Reply
            Microfix
            AskWoody MVP

            I’m in the same boat with LM19.3 ‘Tricia’ on kernel 4.15.0.121 that’s supported to April 2023
            I’ve moved back to this kernel to fix ipowersaving issues in 5.4.xxx and got system stability.
            Have disabled blueberry and bluetooth OBEX Agent from startup (as this device has no bluetooth) and that was during installation six weeks ago.

            Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
            3 users thanked author for this post.
      • #2304817 Reply
        OscarCP
        AskWoody Plus

        I don’t use any Bluetooth devices and have Bluetooth disabled. Do I have to worry about this problem?

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        2 users thanked author for this post.
        • #2304823 Reply
          Microfix
          AskWoody MVP

          OscarCP see #2304822
          nothing to worry about, it’s Friday 🙂

          Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
          1 user thanked author for this post.
      • #2304818 Reply
        Charlie
        AskWoody Plus

        I don’t have any Bluetooth on the laptop I’m using either, but I checked and my 19.1, 32 bit install has the bluez things listed in the synaptic package manager.  Can I just uninstall/remove these bluez items in synaptic package manager?  I don’t see bluetooth in startup, and it’s already disabled.

        My memory is still good...but access time is down.

        • This reply was modified 1 week, 4 days ago by Charlie.
        • This reply was modified 1 week, 4 days ago by Charlie.
        2 users thanked author for this post.
        • #2304822 Reply
          Microfix
          AskWoody MVP

          I wouldn’t remove bluez, even if you don’t use it. (I’ve tried and it flagged up errors whilst testing)
          Just disable blueberry and bluetooth OBEX Agent in
          Control Centre/ startup applications/ then tick the ‘show hidden’ which will reveal these two options.

          Edit: you can also go into Sytem Tools/ System monitor and open up the Processes tab
          there in look for these processes, highlight/right click and kill it, so there is no need to restart.

          Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
          4 users thanked author for this post.
      • #2304825 Reply
        anonymous
        Guest

        ? says:

        patch will show up anytime now, last one(s) came along at the end of March (Upgraded the following packages:
        bluez (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
        bluez-cups (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
        bluez-obexd (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3
        libbluetooth3 (5.37-0ubuntu5.1) to 5.37-0ubuntu5.3)

        meanwhile i’m listening\watching ad free youtube thanks to microfix…

        1 user thanked author for this post.
        • #2304847 Reply
          mn–
          AskWoody Lounger

          Its listed as installed. That’s a lot of vulnerable kernels since I’m running 4.15. But there’s no way I’m going to upgrade to 5.9. 5.9 isn’t even listed in “View Kernels”; the latest listed kernel is 5.4.

          This is a kernel-side vulnerability, applications can’t fix it, they can merely disable the trigger condition at most.

          Looks like Ubuntu has fixed versions of 4.15, 5.4 and 5.8 branches in the testing pipe (“proposed”) right now… oh, there’s also at least one for 5.3 too…

          Well, at least they aren’t jumping straight from build to wide release 😉

          3 users thanked author for this post.
      • #2305492 Reply
        Microfix
        AskWoody MVP

        the eagle has landed…Linux Mint 19.3 kernel update 4.15.0-122.124

        * CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490
        – Bluetooth: Disable High Speed by default
        – Bluetooth: MGMT: Fix not checking if BT_HS is enabled
        – [Config] Disable BlueZ highspeed support

        * CVE-2020-12351
        – Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel

        * CVE-2020-12352
        – Bluetooth: A2MP: Fix not initializing all members

        extract taken from:
        http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.15.0-122.124/changelog

        Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
        1 user thanked author for this post.
        • #2305495 Reply
          Charlie
          AskWoody Plus

          That will work on Mint 19.1, 32 bit I hope.

          My memory is still good...but access time is down.

          • #2305538 Reply
            DrBonzo
            AskWoody Plus

            Well, I was just offered it for Mint 19.2 64 bit Cinnamon. So, Microfix and 19.3, me and 19.2, probably extrapolates to you and 19.1.

            1 user thanked author for this post.
        • #2305524 Reply
          mn–
          AskWoody Lounger

          the eagle has landed…

          Well, one of them.

          Not seeing a 5.4 yet… oh, apparently being distributed to mirrors, guess it takes a few minutes. ( https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-52.57~18.04.1 “7 minutes ago”)

          1 user thanked author for this post.
        • #2305572 Reply
          Charlie
          AskWoody Plus

          Yep, I just got it after doing an update check.  So I think I’m good to go for now.

          My memory is still good...but access time is down.

          1 user thanked author for this post.
      • #2305560 Reply
        anonymous
        Guest

        Linux Mint 20 and I just had that kernel update offered(5.4.0-52.57) via Mint’s Update Manager a few hours ago and have just installed that.

        I’ve had the Bluetooth disabled always in Mint on any laptop that has internal Bluetooth radio capability but does Disabling Bluetooth also disable any Bluetooth discovery services as well? I’ve always tried to make sure that everything related to any wireless capabilities are fully disabled on any OS until I enable them. And that includes any WiFi/Bluetooth discovery services as well and no possibilities of any sort of wireless connection via the laptop’s hardware/attached devices.  the Only Wifi device that I’m currently using it a wireless mouse that has it own USB dongle connected and that’s been factory paired.

        I really wish that any OSs would have a Tray Icon that would animate if any sort of networking polling or device discovery was attempted on any wireless device receivers that where attached internally and externally to any PC/Laptop or other device. And that the option for complete radio silence could be had via a try icon if any attempted probing was detected. At home I’m Ethernet only as that’s the way I like it and that’s how I’m online most of the time.

         

        • #2305570 Reply
          Ascaris
          AskWoody_MVP

          I’ve had the Bluetooth disabled always in Mint on any laptop that has internal Bluetooth radio capability but does Disabling Bluetooth also disable any Bluetooth discovery services as well?

          Assuming everything is working properly, then yes, it would disable the discovery of bluetooth device by the laptop in question.

          I’m always a little bit sketchy on saying that action A that is supposed to cause result B will cause result B, because sometimes things malfunction and don’t behave as they are meant to. There’s no special reason to think that’s the case here, only that I feel compelled to allow for that possibility.

          I just received the update to kernel 5.4.0-52.57 in Neon as well.

          Group "L" (KDE Neon Linux 5.20.1 User Edition, Ubuntu 20.04 base).

          1 user thanked author for this post.
      • #2305701 Reply
        anonymous
        Guest

        ? says:

        4.15.0.122 and 5.4.0.52 came down the chute for 18.04lts and 20.04lts ((linux-image-5.4.0-52-generic (5.4.0-52.57)) with the bluez security modifcations. still waiting on 16.04lts to arrive shortly…

    Viewing 10 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Linux : Potential security vulnerabilities in BlueZ

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.