Security Alert (A17-09-05): Multiple Vulnerabilities in Bluetooth Implementation


 

Published on: 13 September 2017

  
  

Description:

8 vulnerabilities, collectively named as “BlueBorne”, are found in the implementation of the Bluetooth protocol in different platforms. An attacker could exploit these vulnerabilities through Bluetooth connections without devices paired in advance. 

 

Affected Systems:

  • Microsoft Windows Vista or later versions
  • Microsoft Windows Server 2008 or later versions
  • Linux Operating Systems (on 32-bit and 64-bit) based on kernel 3.3-rc1 or later versions
  • Apple iOS versions prior to iOS 10
  • All versions of Android OS

The list is not exhaustive and it is strongly recommended to consult the product supplier and/or device manufacturer if the systems have Bluetooth capabilities.

 

Impact:

Successful exploitation could lead to arbitrary code execution, information disclosure or potentially take control of the affected systems.

 

Recommendation:

  • Microsoft Windows
    Microsoft has released security updates addressing the vulnerabilities. The update can be obtained by using the auto-update mechanism or by downloading at the following URL:
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628

  • Linux Operating Systems
    These vulnerabilities are fixed in some of the Linux distributions. Linux system administrators should check with their product vendors to confirm if their Linux systems are affected and the availability of patches, and if so, upgrade to the fixed versions or follow the recommendations provided by the product vendors to mitigate the risk.

  • Apple iOS
    The latest iOS version has addressed the issues. Users can obtain the updates by using the auto-update mechanism. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

  • Android
    Google has provided patches to device manufacturers for their further testing and distribution to the customers' devices. Users shall ascertain that their Android devices are updated with the patches once available. Users should contact the device manufacturers for the patch availability and details.

 

List of affected systems are made available in the following URL:

https://www.kb.cert.org/vuls/id/240311

As an interim measure and a security best practice, Bluetooth on affected systems should be disabled if it is unused or unnecessary.

More Information:

https://www.kb.cert.org/vuls/id/240311
https://www.armis.com/blueborne/
https://www.hkcert.org/my_url/en/alert/17091303
https://www.us-cert.gov/ncas/current-activity/2017/09/12/BlueBorne-Bluetooth-Vulnerabilities
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628
https://source.android.com/security/bulletin/2017-09-01
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251

 



Tag: Bluetooth , Windows , Windows Server , Linux , Kernel , iOS , Android
Tags