Vulnerability CVE-2017-1000251


Published: 2017-09-12   Modified: 2017-09-27

Description:
The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 3.3-rc1 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Linux Kernel <= 4.13.1 BlueTooth Buffer Overflow (PoC)
Marcin Kozlowski
22.09.2017

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Linux
Product: Linux kernel 
Version:
4.9.9
4.9.8
4.9.7
4.9.6
4.9.5
4.9.44
4.9.43
4.9.42
4.9.41
4.9.40
4.9.4
4.9.39
4.9.38
4.9.37
4.9.36
4.9.35
4.9.34
4.9.33
4.9.32
4.9.31
4.9.30
4.9.3
4.9.29
4.9.28
4.9.27
4.9.26
4.9.25
4.9.24
4.9.23
4.9.22
4.9.21
4.9.20
4.9.2
4.9.19
4.9.18
4.9.17
4.9.16
4.9.15
4.9.14
4.9.13
4.9.12
4.9.11
4.9.10
4.9.1
4.9
4.8.9
4.8.8
4.8.7
4.8.6
4.8.5
4.8.4
4.8.3
4.8.2
4.8.17
4.8.16
4.8.15
4.8.14
4.8.13
4.8.12
4.8.11
4.8.10
4.8.1
4.8
4.7.9
4.7.6
4.7.4
4.7.3
4.7
4.6.7
4.6.6
4.6.5
4.6.4
4.6.3
4.6.2
4.6.1
4.6
4.5.7
4.5.5
4.5.4
4.5.3
4.5.2
4.5.1
4.5.0
4.4.9
4.4.83
4.4.82
4.4.81
4.4.80
4.4.8
4.4.79
4.4.78
4.4.77
4.4.76
4.4.75
4.4.74
4.4.73
4.4.72
4.4.71
4.4.70
4.4.7
See more versions on NVD

CVSS2 => (AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
8.3/10
10/10
6.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/100809
http://www.securitytracker.com/id/1039373
https://access.redhat.com/security/vulnerabilities/blueborne
https://www.armis.com/blueborne
https://www.exploit-db.com/exploits/42762/
https://www.kb.cert.org/vuls/id/240311

Related CVE
CVE-2017-14991
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.
CVE-2017-14954
The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted syst...
CVE-2017-12154
The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allow...
CVE-2017-1000252
The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.
CVE-2015-5327
Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.
CVE-2017-12153
A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be i...
CVE-2017-12168
The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Linux kernel before 4.8.11 allows privileged KVM guest OS users to cause a denial of service (assertion failure and host OS crash) by accessing the Performance Monitors Cycle Count Re...
CVE-2017-14497
The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel before 4.13 mishandles vnet headers, which might allow local users to cause a denial of service (buffer overflow, and disk and memory corruption) or possibly have unspecified othe...

Copyright 2017, cxsecurity.com

 

Back to Top