Announcement

Collapse
No announcement yet.

Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

    Phoronix: Linux Impacted By Information Leak & Remote Code Execution Via Bluetooth

    Armis Labs has gone public today with "Bluebourne", an IoT-focused attack vector via Bluetooth. This Bluetooth attack does not require the targeted device to even be paired with the attacker or on discoverable mode, making it more frightening...

    http://www.phoronix.com/scan.php?pag...-Vulnerability

  • #2
    Microsoft – Contacted on April 19, 2017 after which details were shared. Updates were made on July 11. Public disclosure on September 12, 2017 as part of coordinated disclosure.
    [...]
    Linux – Contacted August 15 and 17, 2017. On September 5, 2017, we connected and provided the necessary information to the the Linux kernel security team and to the Linux distributions security contact list and conversations followed from there. Targeting updates for on or about September 12, 2017 for coordinated disclosure.
    Microsoft got the details on April 19 and took 3 months to fix it, Linux got the details on September 5 and took 4 days to fix it (fix: https://git.kernel.org/pub/scm/linux...f34b8f915a6ea3).

    Comment


    • #3
      Seems like a nightmare if you watch the videos.

      Comment


      • #4
        according to this: https://access.redhat.com/security/v...ties/blueborne
        my laptop is unaffected
        $ zgrep CONFIG_CC_STACKPROTECTOR /proc/config.gz
        CONFIG_CC_STACKPROTECTOR=y
        Last edited by davidbepo; 09-12-2017, 05:30 PM. Reason: added useful link

        Comment


        • #5
          Either I need glasses or it looks like they don't spell BlueBorne with a "u".

          (... though those are great action movies! )

          Comment


          • #6
            INB4 Rust

            Comment


            • #7
              How come Linux developers weren't contacted until four months after Google and Microsoft if Linux IoT devices are listed as one of the primary targets of the vulnerability?

              Comment


              • #8
                Originally posted by TheBlackCat View Post
                How come Linux developers weren't contacted until four months after Google and Microsoft if Linux IoT devices are listed as one of the primary targets of the vulnerability?
                Perhaps they simply had a patch prepared? Does it particularly matter though considering all platforms were set to have the patch released in September?

                Comment


                • #9
                  Originally posted by zamadatix View Post

                  Perhaps they simply had a patch prepared? Does it particularly matter though considering all platforms were set to have the patch released in September?
                  It matters to me.

                  Also the page does not state that Linux has a patch yet, only that the information would be released on the 12th...

                  Comment


                  • #10
                    Originally posted by geearf View Post

                    It matters to me.

                    Also the page does not state that Linux has a patch yet, only that the information would be released on the 12th...
                    Because, per their page, they also coordinated with all of the major distributions security contacts. Ubuntu already pushed the security patch out late on the 11th (https://launchpad.net/ubuntu/+source...01-0ubuntu13.3). I assume the rest have as well by now since it was planned.

                    Comment

                    Working...
                    X