Google and Intel are worried about a new Linux vulnerability

News
By published

BleedingTooth resides in the Linux Kernel's BlueZ software stack

The best open source software: Linux
(Image credit: Shutterstock)

A new Bluetooth flaw in all but the most recent version of the Linux Kernel has caught the attention of both Google and Intel which have both issued warnings about its severity.

The flaw itself resides in the BlueZ software stack that is used to implement Bluetooth core protocols and layers in Linux. In addition to being used in Linux laptops, the software stack is also used in many consumer devices as well as industrial IoT devices.

Google engineer Andy Nguyen has given the vulnerability the name BleedingTooth and in a recent tweet, he explained that it is actually “a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices”.

According to Nguyen, he was inspired by research that led to the discovery of another proof-of-concept exploit called BlueBorne that allows an attacker to send commands without requiring a user to click on links.

BleedingTooth

Although Nguyen has said that BleedingTooth allows seamless code execution by attackers within Bluetooth range, Intel instead believes the flaw provides a means for an attacker to achieve privilege escalation or to disclose information.

The chip giant has also issued an advisory in which it explained that BleedingTooth is actually comprised of three separate vulnerabilities tracked as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490. While the first vulnerability has a high-severity CVSS score of 8.3, the other two both have CVSS scores of 5.3. In its BlueZ advisory, Intel explained that Linux kernel fixes will be released soon, saying:

“Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.”

Intel itself is one of the main contributors to the BlueZ open source project and according to the chipmaker, a series of kernel patches is the only way to address BleedingTooth. While concerning, the vulnerability isn't the kind of thing users should be afraid of as an attacker would need to be in close proximity of a vulnerable Linux device to exploit BleedingTooth.

Via Ars Technica

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
Poco F6 Pro in white from the back showing its Camera array and branding

For a mid-range handset, the Poco F6 Pro is premium in more ways than one, but I found it hard to ignore some of its key pitfalls
See more latest
Most Popular
BraX3
This obscure brand wants to launch the most privacy-friendly smartphone ever without Google, but with a mysterious open-source OS at its core
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models