Red Hat Product Security was made aware of a vulnerability affecting the Linux kernel's implementation of the Bluetooth L2CAP protocol. The vulnerability was named BlueBorne and was assigned an ID - CVE-2017-1000251.
A vulnerable system would need to have Bluetooth (hardware + service) enabled and an attacking device would need to be within
its operating range.
Bluetooth is a short-range wireless communication technology meant to connect devices over radio channels without need for a physical connection. The radio channel forms a physical layer in the Bluetooth stack, analogous to cables in other networks. Above this physical channel, the Bluetooth stack hosts different logical channels and their associated protocols, such as Link Manager Protocol (LMP), Logical Link Control and Adaptation Protocol (L2CAP) and others. These protocols help with controlling the operation of devices in the Bluetooth network and provide services such as segmentation/reassembly of application data, error detection, retransmission and multiplexing of channels over a shared link.
A typical Bluetooth operation includes device discovery, connection establishment and configuration followed by data transmission. A radio channel provides a physical link between two devices. The L2CAP (Logical link control and adaptation protocol) channel provides a logical connection between two devices which could serve a single application. Multiple such logical connections share a physical link between two devices.
Kernel buffer overflow
Once a physical connection is established, L2CAP configures a logical link between two end-points to be used by an application. It is during this configuration of a channel that the stack buffer overflow issue can occur. L2CAP implementation in the Linux kernel stores these configuration parameters in a stack buffer object:
case L2CAP_CONF_PENDING: .... if (test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) { char buf[64]; <= Kernel stack buffer stores L2CAP parameters len = l2cap_parse_conf_rsp(chan, rsp->data, len, buf, &result);
A Bluetooth client sends configuration parameters to a host, these are temporarily stored in the “buf” array above.
A malicious client can send L2CAP configuration packets with configuration parameters set to exceed 64 byte length of the “buf” array passed to the l2cap_parse_conf_rsp() routine. When these parameters are copied to the "buf" array, adjacent kernel stack memory is overwritten with their content. This exchange occurs prior to any authentication, while establishing a Bluetooth connection. As a result, an unauthenticated user who is able to connect to a system via Bluetooth, can use this flaw to overwrite kernel stack memory with malicious data.
System guards
Kernel stack memory corruption can be easily leveraged to execute arbitrary code with kernel ring 0 (above root) privileges on a system. Red Hat Enterprise Linux kernels are hardened with gcc(1) compile time options which protect against such memory corruption. On supported architectures the gcc(1) -fstack-protector option adds a canary value at the beginning of a function and before the function return address. The -fstack-protector-strong extends this canary protection around local stack variables including arrays of any type and length. As can be seen below,
After copying data to these stack variables, kernel validates the stack canary value stored in the stack frame to detect any memory corruption and aborts the impending attack by resorting to a kernel panic.
void __stack_chk_fail(void) { panic("stack-protector: Kernel stack is corrupted in: %p\n", __builtin_return_address(0)); }
The stack protection thus helps to prevent the arbitrary code execution with the kernel/root privileges. Ie. on cpu architectures with support for this feature, this vulnerability is reduced to a denial of service, rather than a remote code execution one.
Response
Red Hat Enterprise Linux kernels have received updates to address this buffer overflow. The kernel functions 'L2cap_parse_conf_rsp' and 'l2cap_add_conf_opt' have been augmented to accept a new parameter specifying the length of the "buf" array. These functions then use the length parameter to contain the data copied from an incoming packet within "buf" limits, so as to prevent the stack buffer overflow.
Acknowledgements:
Red Hat would like to thank Armis Labs (https://armis.com) for reporting this issue.
[*] https://access.redhat.com/security/vulnerabilities/blueborne
À propos de l'auteur
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit