A new Bluetooth flaw in all but the most recent version of the Linux Kernel has caught the attention of both Google and Intel which have both issued warnings about its severity.

The flaw itself resides in the BlueZ software stack that is used to implement Bluetooth core protocols and layers in Linux. In addition to being used in Linux laptops, the software stack is also used in many consumer devices as well as industrial IoT devices.

Google engineer Andy Nguyen has given the vulnerability the name BleedingTooth and in a recent tweet, he explained that it is actually “a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices”.

According to Nguyen, he was inspired by research that led to the discovery of another proof-of-concept exploit called BlueBorne that allows an attacker to send commands without requiring a user to click on links.

Although Nguyen has said that BleedingTooth allows seamless code execution by attackers within Bluetooth range, Intel instead believes the flaw provides a means for an attacker to achieve privilege escalation or to disclose information.

The chip giant has also issued an advisory in which it explained that BleedingTooth is actually comprised of three separate vulnerabilities tracked as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490. While the first vulnerability has a high-severity CVSS score of 8.3, the other two both have CVSS scores of 5.3. In its BlueZ advisory, Intel explained that Linux kernel fixes will be released soon, saying:

“Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.”

Intel itself is one of the main contributors to the BlueZ open source project and according to the chipmaker, a series of kernel patches is the only way to address BleedingTooth. While concerning, the vulnerability isn’t the kind of thing users should be afraid of as an attacker would need to be in close proximity of a vulnerable Linux device to exploit BleedingTooth.

Sign up to get breaking news, reviews, opinion, analysis and more, plus the hottest tech deals!

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Source: https://www.techradar.com/news/google-and-intel-are-worried-about-a-new-linux-vulnerability

Bluetooth, Computer security, Linux kernel, Vulnerability, Intel, Arbitrary code execution

World news – US – Google and Intel are worried about a new Linux vulnerability

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/


Please enter your comment!
Please enter your name here