Bug 1886521 (CVE-2020-12351) - CVE-2020-12351 kernel: net: bluetooth: type confusion while processing AMP packets
Summary: CVE-2020-12351 kernel: net: bluetooth: type confusion while processing AMP pa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12351
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1888250 1888251 1888252 1888253 1888254 1888255 1888256 1888257 1888258 1888259 1888260 1888261 1888262 1888263 1888264 1888265 1888268 1888269 1888270 1888271 1888272 1888273 1888274 1888439 1971485 1971486
Blocks: 1886531 1888711 1888714
TreeView+ depends on / blocked
 
Reported: 2020-10-08 16:32 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-14 07:12 UTC (History)
59 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Linux kernel’s Bluetooth implementation handled L2CAP (Logical Link Control and Adaptation Protocol) packets with A2MP (Alternate MAC-PHY Manager Protocol) CID (Channel Identifier). This flaw allows a remote attacker in an adjacent range to crash the system, causing a denial of service or potentially executing arbitrary code on the system by sending a specially crafted L2CAP packet. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-10-19 20:22:01 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4276 0 None None None 2020-10-20 11:04:50 UTC
Red Hat Product Errata RHSA-2020:4277 0 None None None 2020-10-19 17:12:15 UTC
Red Hat Product Errata RHSA-2020:4278 0 None None None 2020-10-19 15:45:52 UTC
Red Hat Product Errata RHSA-2020:4279 0 None None None 2020-10-19 16:58:08 UTC
Red Hat Product Errata RHSA-2020:4280 0 None None None 2020-10-19 15:40:16 UTC
Red Hat Product Errata RHSA-2020:4281 0 None None None 2020-10-19 16:58:26 UTC
Red Hat Product Errata RHSA-2020:4286 0 None None None 2020-10-20 08:48:29 UTC
Red Hat Product Errata RHSA-2020:4287 0 None None None 2020-10-20 08:39:26 UTC
Red Hat Product Errata RHSA-2020:4288 0 None None None 2020-10-20 08:31:19 UTC
Red Hat Product Errata RHSA-2020:4289 0 None None None 2020-10-20 09:00:49 UTC

Description Guilherme de Almeida Suckevicz 2020-10-08 16:32:24 UTC 
A flaw was found in the way the Linux kernel Bluetooth implementation handled L2CAP packets with A2MP CID. A remote attacker in adjacent range could use this flaw to crash the system causing denial of service or potentially execute arbitrary code on the system by sending a specially crafted L2CAP packet.
Comment 10 Petr Matousek 2020-10-14 20:56:33 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1888439]
Comment 11 Petr Matousek 2020-10-14 21:01:17 UTC 
Acknowledgments:

Name: Andy Nguyen (Google), Intel
Comment 12 Dave Baker 2020-10-15 17:17:31 UTC 
Statement:

Red Hat Enterprise Linux 7 is affected starting with the Red Hat Enterprise Linux 7.4 GA kernel version 3.10.0-693 onward.

For Red Hat OpenShift Container Platform, while the cluster nodes may be running an underlying kernel that's affected by this flaw present, both virtual and physical hosts in a production environment will generally have the mitigation already in place of having Bluetooth hardware either not present, or not enabled.
Comment 14 Fedora Update System 2020-10-15 22:33:30 UTC 
FEDORA-2020-e288acda9a has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 15 Fedora Update System 2020-10-15 22:35:36 UTC 
FEDORA-2020-ce117eff51 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 16 Fedora Update System 2020-10-16 00:30:23 UTC 
FEDORA-2020-ad980d282f has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 31 Petr Matousek 2020-10-19 08:03:19 UTC 
External References:

https://access.redhat.com/security/vulnerabilities/BleedingTooth
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
https://www.zdnet.com/article/google-warns-of-severe-bleedingtooth-bluetooth-flaw-in-linux-kernel/
Comment 36 Eric Christensen 2020-10-19 13:17:18 UTC 
Mitigation:

To mitigate these vulnerabilities on the operating system level, disable the Bluetooth functionality via blocklisting kernel modules in the Linux kernel. The kernel modules can be prevented from being loaded by using system-wide modprobe rules. Instructions on how to disable Bluetooth modules are available on the Customer Portal at https://access.redhat.com/solutions/2682931.

Alternatively, Bluetooth can be disabled within the hardware or at BIOS level which will also provide an effective mitigation as the kernel will not be able to detect that Bluetooth hardware is present on the system.
Comment 47 errata-xmlrpc 2020-10-19 15:40:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4280 https://access.redhat.com/errata/RHSA-2020:4280
Comment 48 errata-xmlrpc 2020-10-19 15:45:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:4278 https://access.redhat.com/errata/RHSA-2020:4278
Comment 49 errata-xmlrpc 2020-10-19 16:58:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4279 https://access.redhat.com/errata/RHSA-2020:4279
Comment 50 errata-xmlrpc 2020-10-19 16:58:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:4281 https://access.redhat.com/errata/RHSA-2020:4281
Comment 51 errata-xmlrpc 2020-10-19 17:12:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:4277 https://access.redhat.com/errata/RHSA-2020:4277
Comment 53 Product Security DevOps Team 2020-10-19 20:22:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12351
Comment 63 errata-xmlrpc 2020-10-20 08:31:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:4288 https://access.redhat.com/errata/RHSA-2020:4288
Comment 64 errata-xmlrpc 2020-10-20 08:39:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4287 https://access.redhat.com/errata/RHSA-2020:4287
Comment 65 errata-xmlrpc 2020-10-20 08:48:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4286 https://access.redhat.com/errata/RHSA-2020:4286
Comment 66 errata-xmlrpc 2020-10-20 09:00:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4289 https://access.redhat.com/errata/RHSA-2020:4289
Comment 67 errata-xmlrpc 2020-10-20 11:04:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4276 https://access.redhat.com/errata/RHSA-2020:4276
Note You need to log in before you can comment on or make changes to this bug.