A Google security researcher warns of zero-day vulnerabilities in the Linux Bluetooth stack that allow attackers to escalate privileges to root. A fix should be available in Linux Kernel 5.10, which is still a couple of months away, which means that any devices, mobile or PC, using the BlueZ stack will be vulnerable for a while.
The BlueZ subsystem’s vulnerabilities received a name, BleedingTooth, which usually only happens with severe security issues. In this case, Intel says the input validation in BlueZ may allow an unauthenticated user to enable the escalation of privileges via adjacent access.
More to the point, security researcher Andy Nguyen, who found the issues, explained on Twitter: “BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated, remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.”
The researcher also posted a short video showing the vulnerabilities are present and work without a hitch. But this is where the real problem comes in. In the initial iteration of the advisory, Intel said the Linux kernel patches would be available with the 5.9 release, which took place a couple of days ago.
Unfortunately, they made a mistake when they coordinated the vulnerability disclosure. For unknown reasons, Intel said the patches would be available in Linux kernel 5.9, but that was apparently a mistake, and the fixes are now programmed to land in Linux kernel 5.10, which is due for the end of December.
In other words, Intel just published details on a zero-day vulnerability that will only receive fixes in two months, leaving Linux users world-wide exposed to potential attacks. One of the maintainers of the Linux kernel had this to say about the entire situation on Twitter:
“They are now claiming you need a 5.10 kernel or newer to solve this. 5.10 will be released at the end of December, 2020. Intel knows better, and knows how to do this properly, this feels malicious at this point…”