Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

Alert - Bluetooth Critical Vulnerabilities

Number: AL17-011
Date: 13 September 2017

Purpose

The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for multiple critical vulnerabilities affecting a broad range of Bluetooth enabled devices. Security researchers have named this group of Bluetooth vulnerabilities "BlueBorne".

Assessment

CCIRC has become aware of multiple critical vulnerabilities in the implementation of the Bluetooth stack in multiple versions of Android, Apple iOS, Microsoft Windows and Linux based products, among others. The vulnerabilities could allow for a malicious threat actor to execute code, intercept wireless communications, abuse device functionality and/or perform man-in-the-middle attacks. While no known active exploitation has been reported, a working proof of concept is available.

Open source reporting describing the vulnerabilities suggests that exploitation does not require the targeted device to be set on discoverable mode or paired to the threat actor's device; furthermore, authorization AuthorizationAccess privileges granted to a user, program, or process. is not required by the end user nor does it require authentication AuthenticationA process or measure used to verify a users identity. for the connection to be made.

CCIRC recommends information security teams to monitor for future vendor supplied updates and apply relevant security patches as they become available. Below is a list of the potentially affected products and their relevant versions:

Android
Android phones, tablets, and wearables of all versions are affected by the four following vulnerabilities:

  • CVE-2017-0781: Android Remote Code Execution Vulnerability
  • CVE-2017-0782: Android Remote Code Execution Vulnerability
  • CVE-2017-0783: Android Potential Man in the Middle Attack
  • CVE-2017-0785: Android Bluetooth Information Leak Vulnerability

Android devices using Bluetooth Low Energy only are not affected.

The vulnerabilities affecting Marshmallow (6.0) and Nougat (7.0) Android devices were addressed in Google's Android Security Bulletin released September 12th, 2017.

Apple
The following vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. affecting iPhone, iPad and iPod touch devices with iOS 7 through 9 and Apple TV devices with version 7.2.2 and lower:

  • CVE-2017-14315: Apple Low Energy Audio Remote Code Execution Vulnerability

The vulnerability affecting Apple devices has been resolved in iOS 10, released in September 2016.

Microsoft
Windows versions 10, 8.1, 7, Server 2016 and Server 2008 are affected by the following vulnerability:

  • CVE-2017-8628: Microsoft Bluetooth Driver Spoofing Vulnerability

The vulnerability affecting Microsoft devices has been resolved by a security update released September 12, 2017.

Linux
Linux devices running BlueZ 5.46 and earlier are affected by:

  • CVE-2017-1000250: Linux Bluetooth Information Leak Vulnerability

The vulnerability affecting Red Hat Enterprise Linux 7 and 6 devices has been resolved by a security update released by Red Hat on September 12, 2017.

Linux kernel versions 3.3-rc1 and up to and including 4.13.1 are affected by the following:

  • CVE-2017-1000251: Linux Remote Code Execution Vulnerability

Red Hat Enterprise Linux 5 is not affected.

The vulnerability affecting Red Hat Enterprise Linux 7, 6 and MRG 2 devices has been resolved by a security update released by Red Hat on September 12, 2017.

Suggested action

CCIRC recommends those utilizing Bluetooth enabled products to consult the vendor for specific risk mitigation advice and patches available. In non-critical applications, CCIRC recommends considering disabling Bluetooth wireless communications. In mission critical or life sustaining applications, the potential consequences of disabling Bluetooth needs to be assessed along with an assessment of risk based on the environment in which the Bluetooth enabled device is being used. In addition, the Bluetooth protocol has a peer to peer wireless transmission range of 10-100 meters in many common mobile devices; this aspect should be taken into account when applying mitigation measures.

References

https://www.kb.cert.org/vuls/id/240311
https://source.android.com/security/bulletin/2017-09-01
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14315
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628
https://access.redhat.com/security/vulnerabilities/blueborne
https://access.redhat.com/security/cve/CVE-2017-1000250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
https://access.redhat.com/security/cve/CVE-2017-1000251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251

Date modified: