1663176 – (CVE-2019-3459) CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CONF_OPT

Bug 1663176 (CVE-2019-3459) - CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CONF_OPT

Summary: CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CON...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3459
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1664555 1664556 1664557 1664558 1665925 1700506 1700507 1700508 1772255 1772256 1772257 1772258
Blocks:	1663182
TreeView+	depends on / blocked

Reported:	2019-01-03 11:24 UTC by Andrej Nemec
Modified:	2023-05-12 21:14 UTC (History)
CC List:	54 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel's implementation of Logical Link Control and Adaptation Protocol (L2CAP), part of the Bluetooth stack. An attacker, within the range of standard Bluetooth transmissions, can create and send a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.
Clone Of:
Environment:
Last Closed:	2019-08-06 13:21:16 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2029	None	None	None	2019-08-06 12:04:32 UTC
Red Hat Product Errata	RHSA-2019:2043	None	None	None	2019-08-06 12:06:58 UTC
Red Hat Product Errata	RHSA-2019:3309	None	None	None	2019-11-05 20:35:04 UTC
Red Hat Product Errata	RHSA-2019:3517	None	None	None	2019-11-05 21:05:45 UTC
Red Hat Product Errata	RHSA-2020:0740	None	None	None	2020-03-09 14:31:34 UTC

Description Andrej Nemec 2019-01-03 11:24:43 UTC

A flaw was found in the Linux kernels implementation of Logical link control and adaptation protocol (L2CAP), part of the bluetooth stack.

An attacker with physical access within the range of standard bluetooth transmission can create a specially crafted packet.  The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.

Upstream patch:
https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/

Oss-security post:
https://seclists.org/oss-sec/2019/q1/58

Mitigation:

- Disabling the bluetooth hardware in the bios.
- Prevent loading of the bluetooth kernel modules.
- Disable the bluetooth connection by putting the system in "airport" mode.

Comment 5 Andrej Nemec 2019-01-14 13:04:24 UTC

Public via:

https://seclists.org/oss-sec/2019/q1/58

Comment 6 Andrej Nemec 2019-01-14 13:05:43 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1665925]

Comment 8 gopal krishna tiwari 2019-04-17 06:27:48 UTC

Hi Wade/Andrej, 

Seems patch for this 
 
https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/

Not yet made it to upstream ? Can you confirm ? 

Gopal..

Comment 9 Andrej Nemec 2019-04-25 14:50:03 UTC

(In reply to gopal krishna tiwari from comment #8)
> Hi Wade/Andrej, 
> 
> Seems patch for this 
>  
> https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> 
> Not yet made it to upstream ? Can you confirm ? 
> 
> Gopal..

Hi Gopal,

This seems to be the relevant upstream patch link:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

Comment 10 gopal krishna tiwari 2019-04-26 04:16:03 UTC

(In reply to Andrej Nemec from comment #9)
> (In reply to gopal krishna tiwari from comment #8)
> > Hi Wade/Andrej, 
> > 
> > Seems patch for this 
> >  
> > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > 
> > Not yet made it to upstream ? Can you confirm ? 
> > 
> > Gopal..
> 
> Hi Gopal,
> 
> This seems to be the relevant upstream patch link:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

Sure, Thanks. Will post this patch soon. 

Gopal

Comment 11 gopal krishna tiwari 2019-04-26 05:10:43 UTC

(In reply to Andrej Nemec from comment #9)
> (In reply to gopal krishna tiwari from comment #8)
> > Hi Wade/Andrej, 
> > 
> > Seems patch for this 
> >  
> > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > 
> > Not yet made it to upstream ? Can you confirm ? 
> > 
> > Gopal..
> 
> Hi Gopal,
> 
> This seems to be the relevant upstream patch link:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69

AFIU this patch fixes both CVE-2019-3459 & CVE-2019-3460 ? 

Gopal

Comment 12 Pedro Sampaio 2019-05-03 16:59:32 UTC

(In reply to gopal krishna tiwari from comment #11)
> (In reply to Andrej Nemec from comment #9)
> > (In reply to gopal krishna tiwari from comment #8)
> > > Hi Wade/Andrej, 
> > > 
> > > Seems patch for this 
> > >  
> > > https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/
> > > 
> > > Not yet made it to upstream ? Can you confirm ? 
> > > 
> > > Gopal..
> > 
> > Hi Gopal,
> > 
> > This seems to be the relevant upstream patch link:
> > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> > ?id=7c9cbd0b5e38a1672fcd137894ace3b042dfbf69
> 
> AFIU this patch fixes both CVE-2019-3459 & CVE-2019-3460 ? 
> 
> Gopal

Hello Gopal,

Yes, this patch addresses both vulnerable functions L2CAP_GET_CONF_OPT (CVE-2019-3459) and L2CAP_PARSE_CONF_RSP (CVE-2019-3460).

Comment 13 errata-xmlrpc 2019-08-06 12:04:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 14 errata-xmlrpc 2019-08-06 12:06:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043

Comment 15 Product Security DevOps Team 2019-08-06 13:21:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3459

Comment 17 errata-xmlrpc 2019-11-05 20:35:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309

Comment 18 errata-xmlrpc 2019-11-05 21:05:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517

Comment 21 errata-xmlrpc 2020-03-09 14:31:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0740 https://access.redhat.com/errata/RHSA-2020:0740

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
acaringi
airlied
bhu
blc
brdeoliv
bskeggs
chris.snell
dbaker
dhoward
dvlasenk
fhrbata
gtiwari
hdegoede
hkrzesin
hwkernel-mgr
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jglisse
jkacur
john.j5live
jokerman
jonathan
josef
jross
jstancek
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
plougher
pmatouse
psampaio
rt-maint
rvrbovsk
security-response-team
steved
sthangav
trankin
williams
wmealing
yozone