 |
| Google warns of errors in IoT devices |
Google has released details of a very serious vulnerability (CVE-2020-12351) affecting the Bluetooth package in Linux kernel releases prior to (Linux 5.9). The vulnerability takes over the things that run on Linux. (BlueZ) in Internet connected devices (IoT).
Intel recommends updating the Linux kernel to version 5.9 or higher, and Intel said: Incorrect entry verification in (BlueZ) may allow unauthorized users to raise their privileges.
(BlueZ) is the official Bluetooth stack for Linux and provides support for Bluetooth backbone networks and protocols in IoT (Internet of Things) Linux devices.
Google Security Engineer Andy Nguyen reported Intel's "BleedingTooth" error.
Intel said: An Open Source Project (BlueZ) releases fixes for the Linux kernel to address high-risk bugs and fixes for two medium-risk vulnerabilities (CVE-2020-12352) and (CVE-2020-24490). .
Purdue University researchers claimed last month that BlueZ was also vulnerable to BLESA attacks.
Google detailed these errors in the Google Security Research database on the GitHub platform, and Nguyen's description of the CVE-2020-12351 vulnerability appears to be more dangerous than Intel's description.
He posted a video explaining the command to unlock the device on a second Ubuntu Dell computer with a Dell XPS 15 computer running Ubuntu without any action through the victim's laptop.
BlueZ has several Bluetooth modules including the Bluetooth subsystem core, L2CAP and SCO.
Francis Perry of the Google Product Security Incident Response Team says an attacker within Bluetooth range who knows the address of a Bluetooth device can execute the code with kernel permissions.
Perry writes: A remote, remote attacker who knows the victim's bluetooth device address can send malicious packets of data, denying service or executing random code with kernel privileges.
Google plans to post more detailed information about the hack on its security blog soon. Intel recommends installing the kernel patch to solve the issue where the kernel cannot be updated.