Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

2006.10.19
Credit: David Maynor of SecureWorks, Inc. and Jon Ellch
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2006-5405
CWE: CWE-Other


CVSS Base Score: 6.2/10
Impact Subscore: 10/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 SecureWorks Research Client Advisory Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability October 11th, 2006 Summary: A flaw exists in the Toshiba Bluetooth wireless device driver, used by multiple vendors, that allows a remote attacker within wireless range of a Bluetooth device to perform a denial-of-service (DoS) attack or execute arbitrary code at the highest privilege level. Scope: Toshiba Bluetooth host stack implementations version 3.x Toshiba Bluetooth host stack implementations version 4 through 4.00.35, including all shipping OEM versions are vulnerable. Toshiba Bluetooth stacks running on 64-bit platforms are not vulnerable. Toshiba is the OEM for multiple vendor Bluetooth stacks including, but not limited to: - Dell Computers - Sony Vaio - ASUS Computers - and possibly other brands. Description: Bluetooth is a standards-based wireless technology used for short-range data communications between electronic devices. The vulnerable Bluetooth wireless device drivers are subject to potential attacks through specially crafted Bluetooth packets. An attacker can potentially take advantage of these conditions to cause a memory corruption, a system crash, and/or the execution of arbitrary code at the highest privilege level. An attacker would need to be within approximately 10 meters of the victim. Additionally, an attacker would need the Bluetooth address of the victim's device. Bluetooth addresses are easily enumerated through active scanning if the device allows discovery. Detection: Users of Toshiba's Bluetooth stack are encouraged to check the current Bluetooth stack version by selecting: Version 3.x - "Device Properties...", then "General" Version 4.x - "Options", then "General", then "Details" Toshiba has advised that security patches are normally offered for all Bluetooth stacks. Please consult the download details document for further information. Users of Dell Bluetooth products are encouraged to verify the presence and version of their Bluetooth stack by double-clicking on the Bluetooth icon in the system tray to open the Bluetooth client utility and selecting "Help", then "About". Recommendations: Toshiba has recommended that affected users visit their Bluetooth vendor's website for an updated Bluetooth stack. If a patch is unavailable, please visit the Toshiba Bluetooth website, which offers security updates for all Bluetooth stacks including OEM versions, as well as a Bluetooth Stack Security Pack at: http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php Users of Dell Latitude D820/D620/D420/D520 are asked to verify the version of their Bluetooth stack using the method described above. If your version is not 4.00.22(D) SP2 or newer, then it is recommended that users upgrade to the latest driver versions located at http://www.support.dell.com/. Users of Dell Latitude D810/D610/D410/D510/X1 are asked to verify the version of their Bluetooth stack using the method described above. If your version is not 4.00.20(D) SP2 or newer, then it is recommended that users upgrade to the latest driver versions to be made available by November 4th, 2006 at http://www.support.dell.com/. Bluetooth device users should be set to non-discoverable mode during normal operations to reduce risk from this and other potential future Bluetooth attacks. References: SecureWorks Research Client Advisory Multiple Vendor Bluetooth Stack Memory Corruption Vulnerability http://www.secureworks.com/press/20061011-dell.html Toshiba: Bluetooth Download Page http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php Dell Support http://www.support.dell.com/ Buffer Overrun in Toshiba Bluetooth Stack for Windows http://trifinite.org/trifinite_advisory_toshiba.html CVSS Scoring: Access Vector: Remote Access Complexity: High Authentication: Not Required Confidentiality: Complete Integrity: Complete Availability: Complete Impact Bias: Normal Score: 8.0 Credits: This vulnerability was discovered and researched by David Maynor of SecureWorks, Inc. and Jon Ellch. SecureWorks would like to thank Christopher M. Davis and the entire Dell security response team as well as Armin Scheruebl of Toshiba Europe GmbH and the Toshiba Bluetooth Support team for their response and coordination. About Secureworks Please direct all security research related inquiries to: Allen Wilson (404) 417-3717 research (at) secureworks (dot) com [email concealed] All media inquiries should be directed to: Elizabeth Clarke (404) 486-4492 eclarke (at) secureworks (dot) com [email concealed] (c) Copyright 2006 SecureWorks, Inc. This advisory may not be edited or modified in any way without the express written consent of SecureWorks, Inc. If you wish to reprint this advisory or any portion or element thereof, please contact research (at) secureworks (dot) com [email concealed] to seek permission. Permission is hereby granted to link to this advisory via the SecureWorks web-site at http://www.secureworks.com/press/20061011-dell.html or use in accordance with the fair use doctrine of U.S. copyright laws. Disclaimer: The information within this advisory may change without notice. The most recent version of this advisory may be found on the SecureWorks web site at www.secureworks.com for a limited period of time. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall SecureWorks be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. SecureWorks PGP Key available on MIT's PGP key server and PGP.com's key server, as well as http://www.secureworks.com/researchcenter/publickey.html Revision History: 1.0; October 11th, 2006 - Initial advisory release -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1202) wsBVAwUBRS1VJw81H4LOxRiGAQhlawf9GZJ3LPFVIDRtqDbKndBYRC2eCqIBJNr3 mfGXQPjQ6vu1KzaosBmZMhz+ws6UvZ3+xVsRESMVDWqtuKicqhQy/rPIy4QAt9qc Geg9rIYQH1/hbdMbcDiSVKLUS2IRRMRMIo4GvjqN9U7jOg/N9luKOhJnVsAOKZAE 6E4dRwqLYCshHH6JyuaL5nGfYEFh9DOc2Q3jh/AQhXa8Ld3dd3OXBV/94HKCEmqT gYId4Tdgm7ti6vnlSDT6Pa33fwi3vM0CIrdW0u0FgFwkB2pO3gzLOlEWcls1lQku /B7X5aISfhgPJWkZoztiIg7dRom2gOUCDrg6qRkntGuCRTqSDXepBQ== =TbdP -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top