A set of new security vulnerabilities has been disclosed in commercial Braktooth Bluetooth stacks that could enable an adversary to execute arbitrary code and, worse, crash the devices via denial-of-service (DoS) attacks.

By default, Bluetooth devices are vulnerable to remote code execution attacks—whereby an attacker can take over the device by sending it malicious code that automatically executes—and denial-of-service (DoS) attacks because they are not patched against known flaws that prevent exploitation, according to security firm Armis.

The exploits only affect the Bluetooth baseband, which is located in the central processing unit (CPU). Armis has dubbed these Bluetooth bugs BrakeOver (CVE-2017-0781), CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785.

The vulnerabilities affect Android, Linux, Apple iOS, Windows; Samsung Gear devices; and the Microsoft Surface Hub. Armis wrote in its advisory that an Apple spokesperson confirmed the vulnerabilities after the company said it was investigating them.

The most severe of the 16 bugs is CVE-2021-28139, which affects the ESP32 SoC used in many Bluetooth-based applications ranging from consumer electronics to industrial equipment. Arising due to a lack of an out-of-bounds check in the library, the flaw enables an attacker to inject arbitrary code on vulnerable devices, including erasing its NVRAM data. The code, once executed, could enable an adversary to “flip” the Bluetooth channel configuration and potentially force a device into an unresponsive state.

Whether the flaw is exploited depends on the implementation of the component in question on each Bluetooth-enabled device.

The other vulnerabilities are equally serious, but less severe than CVE-2021-28139 because they involve the denial of service (DoS) attacks that crash devices through the faulty implementation of core components in some versions of Linux. For example, CVE-2017-0787 enables an attack on version 3.0 of the BlueZ stack to trigger an out-of-bounds access error that leaves some versions of Linux susceptible to DoS attacks.

Armis has issued a warning but is not recommending any immediate fixes at this time because the vulnerabilities have not been fully disclosed to vendors and affected devices might not be updated. “The best action for users is to disable Bluetooth until a patch is made available,” wrote Armis researchers in their advisory.

The vulnerabilities were reported by Filippo Valsorda of CERT-Bucuresti, an exploit developer who initially discovered them after looking at other exploits related to BlueZ, including CVE-2017-0781, CVE-2017-0782, and CVE-2017-0783. All three bugs are related to stack overflows that lead to buffer overflows.

The ASSET group has also made available a proof-of-concept (POC) tool that can be used by vendors producing Bluetooth SoCs, modules, and products to replicate the vulnerabilities and validate against BrakTooth attacks. The tool is available on GitHub.

More details are available in the research team’s advisory.

The vulnerabilities were independently discovered by researchers at Armis. The company previously disclosed the attacks, dubbed Code Blue, to Google, Microsoft, Apple, Samsung, Intel, and other affected vendors. Despite these coordinated disclosures to the major platform vendors—and the public disclosure of the vulnerabilities being imminent—Armis researchers said they do not know if anyone has attempted to exploit these flaws in the wild yet.

“This vulnerability allows remote attackers to gain full control over vulnerable devices. This means an attacker can gain access to the device’s data, including sensitive information like authentication tokens, passwords, keys, and so on,” Armis wrote in its advisory. “It also enables the attacker to execute arbitrary code with kernel privileges which completely compromises the device.

Interested in reading more about security flaws in other forms of malware? Malware Variations – Sophisticated in 2021 discusses forms of malware seen in 2021.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, BrakTooth

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.