Announcement

Collapse
No announcement yet.

Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

    Phoronix: Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

    Armis Labs has gone public today with "Bluebourne", an IoT-focused attack vector via Bluetooth. This Bluetooth attack does not require the targeted device to even be paired with the attacker or on discoverable mode, making it more frightening...

    http://www.phoronix.com/scan.php?pag...-Vulnerability

  • #2
    Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
    [...]
    Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.
    Microsoft got the details on April 19 and took 3 months to fix it, Linux got the details on September 5 and took 4 days to fix it (fix: https://git.kernel.org/pub/scm/linux...f34b8f915a6ea3).

    Comment


    • #3
      Seems like a nightmare if you watch the videos.

      Comment


      • #4
        according to this: https://access.redhat.com/security/v...ties/blueborne
        my laptop is unaffected
        $ zgrep CONFIG_CC_STACKPROTECTOR /proc/config.gz
        CONFIG_CC_STACKPROTECTOR=y
        Last edited by davidbepo; 12 September 2017, 05:30 PM. Reason: added useful link

        Comment


        • #5
          INB4 Rust

          Comment


          • #6
            How come Linux developers weren't contacted until four months after Google and Microsoft if Linux IoT devices are listed as one of the primary targets of the vulnerability?

            Comment


            • #7
              Originally posted by TheBlackCat View Post
              How come Linux developers weren't contacted until four months after Google and Microsoft if Linux IoT devices are listed as one of the primary targets of the vulnerability?
              Perhaps they simply had a patch prepared? Does it particularly matter though considering all platforms were set to have the patch released in September?

              Comment


              • #8
                Originally posted by zamadatix View Post

                Perhaps they simply had a patch prepared? Does it particularly matter though considering all platforms were set to have the patch released in September?
                It matters to me.

                Also the page does not state that Linux has a patch yet, only that the information would be released on the 12th...

                Comment


                • #9
                  Originally posted by geearf View Post

                  It matters to me.

                  Also the page does not state that Linux has a patch yet, only that the information would be released on the 12th...
                  Because, per their page, they also coordinated with all of the major distributions security contacts. Ubuntu already pushed the security patch out late on the 11th (https://launchpad.net/ubuntu/+source...01-0ubuntu13.3). I assume the rest have as well by now since it was planned.

                  Comment


                  • #10
                    I appreciate the work of Armis Labs in researching this vulnerability, but I have to say that Blueborne page they put up is garbage. It reads like a cross between sensationalist tech "news" and marketing tripe. They barely talk about mitigation. It's just a lot of big numbers and scary words, and then:

                    Securing against BlueBorne


                    Vulnerabilities that can spread over the air and between devices pose a tremendous threat to any organization or individual. Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections.

                    New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited. This is the primary mission of Armis in this new connected age.
                    These two paragraphs are all we get on the subject of mitigation. Let's break that down.

                    Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks
                    Indeed, none of these things will make insecure shit on your network magically secure. And nor would anyone expect them to. If used correctly, they are components of what is hopefully a larger coordinated policy to limit the damage a compromised host can do if connected to the network.

                    New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant.
                    Hold on. Air gapping? Ah yes. From earlier in the article:

                    Airborne attacks can also allow hackers to penetrate secure internal networks which are “air gapped,” meaning they are disconnected from any other network for protection
                    That's bullshit. An air gapped network will not be accessible via bluetooth or the insecure class of devices equipped with it. That would completely defeat the purpose of air gapping.

                    Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited. This is the primary mission of Armis in this new connected age.
                    I assume the takeaway is supposed to be that the world will be needing their services more and more as we move into this brave new world. Very helpful. Thanks for that.

                    Maybe they could have mentioned some hardening options, such as buffer overflow protection (-fstack-protector). Or recommended some best practices such as disabling features that one does not need (such as bluetooth) in order to reduce the attack surface. Even some platitude about the importance of keeping your software up to date would have been better than nothing.
                    Last edited by Frogging101; 12 September 2017, 11:41 PM.

                    Comment

                    Working...
                    X