Bug 1663176 (CVE-2019-3459) - CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CONF_OPT
Summary: CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CON...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3459
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190111,repor...
Depends On: 1664557 1700507 1700508 1664555 1664556 1664558 1665925 1700506
Blocks: 1663182
TreeView+ depends on / blocked
 
Reported: 2019-01-03 11:24 UTC by Andrej Nemec
Modified: 2019-08-06 13:21 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of Logical Link Control and Adaptation Protocol (L2CAP), part of the Bluetooth stack. An attacker, within the range of standard Bluetooth transmissions, can create and send a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:21:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2029 None None None 2019-08-06 12:04:32 UTC
Red Hat Product Errata RHSA-2019:2043 None None None 2019-08-06 12:06:58 UTC

Description Andrej Nemec 2019-01-03 11:24:43 UTC
A flaw was found in the Linux kernels implementation of Logical link control and adaptation protocol (L2CAP), part of the bluetooth stack.

An attacker with physical access within the range of standard bluetooth transmission can create a specially crafted packet.  The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.

Upstream patch:
https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/

Oss-security post:
https://seclists.org/oss-sec/2019/q1/58

Mitigation:

- Disabling the bluetooth hardware in the bios.
- Prevent loading of the bluetooth kernel modules.
- Disable the bluetooth connection by putting the system in "airport" mode.

Comment 5 Andrej Nemec 2019-01-14 13:04:24 UTC
Public via:

https://seclists.org/oss-sec/2019/q1/58

Comment 6 Andrej Nemec 2019-01-14 13:05:43 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1665925]

Comment 8 gopal krishna tiwari 2019-04-17 06:27:48 UTC
Hi Wade/Andrej, 

Seems patch for this 
 
https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/

Not yet made it to upstream ? Can you confirm ? 

Gopal..

Comment 9 Andrej Nemec 2019-04-25 14:50:03 UTC
(In reply to gopal krishna tiwari from comment #8)
> Hi Wade/Andrej, 
> 
> Seems patch for this 
>  
> https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> 
> Not yet made it to upstream ? Can you confirm ? 
> 
> Gopal..

Hi Gopal,

This seems to be the relevant upstream patch link:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

Comment 10 gopal krishna tiwari 2019-04-26 04:16:03 UTC
(In reply to Andrej Nemec from comment #9)
> (In reply to gopal krishna tiwari from comment #8)
> > Hi Wade/Andrej, 
> > 
> > Seems patch for this 
> >  
> > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > 
> > Not yet made it to upstream ? Can you confirm ? 
> > 
> > Gopal..
> 
> Hi Gopal,
> 
> This seems to be the relevant upstream patch link:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

Sure, Thanks. Will post this patch soon. 

Gopal

Comment 11 gopal krishna tiwari 2019-04-26 05:10:43 UTC
(In reply to Andrej Nemec from comment #9)
> (In reply to gopal krishna tiwari from comment #8)
> > Hi Wade/Andrej, 
> > 
> > Seems patch for this 
> >  
> > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > 
> > Not yet made it to upstream ? Can you confirm ? 
> > 
> > Gopal..
> 
> Hi Gopal,
> 
> This seems to be the relevant upstream patch link:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

AFIU this patch fixes both CVE-2019-3459 & CVE-2019-3460 ? 

Gopal

Comment 12 Pedro Sampaio 2019-05-03 16:59:32 UTC
(In reply to gopal krishna tiwari from comment #11)
> (In reply to Andrej Nemec from comment #9)
> > (In reply to gopal krishna tiwari from comment #8)
> > > Hi Wade/Andrej, 
> > > 
> > > Seems patch for this 
> > >  
> > > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > > 
> > > Not yet made it to upstream ? Can you confirm ? 
> > > 
> > > Gopal..
> > 
> > Hi Gopal,
> > 
> > This seems to be the relevant upstream patch link:
> > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> > ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69
> 
> AFIU this patch fixes both CVE-2019-3459 & CVE-2019-3460 ? 
> 
> Gopal

Hello Gopal,

Yes, this patch addresses both vulnerable functions L2CAP_GET_CONF_OPT (CVE-2019-3459) and L2CAP_PARSE_CONF_RSP (CVE-2019-3460).

Comment 13 errata-xmlrpc 2019-08-06 12:04:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 14 errata-xmlrpc 2019-08-06 12:06:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043

Comment 15 Product Security DevOps Team 2019-08-06 13:21:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3459


Note You need to log in before you can comment on or make changes to this bug.