Number: AL17-011
Date: 13 September 2017
Purpose
The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for multiple critical vulnerabilities affecting a broad range of Bluetooth enabled devices. Security researchers have named this group of Bluetooth vulnerabilities "BlueBorne".
Assessment
CCIRC has become aware of multiple critical vulnerabilities in the implementation of the Bluetooth stack in multiple versions of Android, Apple iOS, Microsoft Windows and Linux based products, among others. The vulnerabilities could allow for a malicious threat actor to execute code, intercept wireless communications, abuse device functionality and/or perform man-in-the-middle attacks. While no known active exploitation has been reported, a working proof of concept is available.
Open source reporting describing the vulnerabilities suggests that exploitation does not require the targeted device to be set on discoverable mode or paired to the threat actor's device; furthermore, authorization is not required by the end user nor does it require authentication for the connection to be made.
CCIRC recommends information security teams to monitor for future vendor supplied updates and apply relevant security patches as they become available. Below is a list of the potentially affected products and their relevant versions:
Android
Android phones, tablets, and wearables of all versions are affected by the four following vulnerabilities:
- CVE-2017-0781: Android Remote Code Execution Vulnerability
- CVE-2017-0782: Android Remote Code Execution Vulnerability
- CVE-2017-0783: Android Potential Man in the Middle Attack
- CVE-2017-0785: Android Bluetooth Information Leak Vulnerability
Android devices using Bluetooth Low Energy only are not affected.
The vulnerabilities affecting Marshmallow (6.0) and Nougat (7.0) Android devices were addressed in Google's Android Security Bulletin released September 12th, 2017.
Apple
The following vulnerability affecting iPhone, iPad and iPod touch devices with iOS 7 through 9 and Apple TV devices with version 7.2.2 and lower:
- CVE-2017-14315: Apple Low Energy Audio Remote Code Execution Vulnerability
The vulnerability affecting Apple devices has been resolved in iOS 10, released in September 2016.
Microsoft
Windows versions 10, 8.1, 7, Server 2016 and Server 2008 are affected by the following vulnerability:
- CVE-2017-8628: Microsoft Bluetooth Driver Spoofing Vulnerability
The vulnerability affecting Microsoft devices has been resolved by a security update released September 12, 2017.
Linux
Linux devices running BlueZ 5.46 and earlier are affected by:
- CVE-2017-1000250: Linux Bluetooth Information Leak Vulnerability
The vulnerability affecting Red Hat Enterprise Linux 7 and 6 devices has been resolved by a security update released by Red Hat on September 12, 2017.
Linux kernel versions 3.3-rc1 and up to and including 4.13.1 are affected by the following:
- CVE-2017-1000251: Linux Remote Code Execution Vulnerability
Red Hat Enterprise Linux 5 is not affected.
The vulnerability affecting Red Hat Enterprise Linux 7, 6 and MRG 2 devices has been resolved by a security update released by Red Hat on September 12, 2017.
Suggested action
CCIRC recommends those utilizing Bluetooth enabled products to consult the vendor for specific risk mitigation advice and patches available. In non-critical applications, CCIRC recommends considering disabling Bluetooth wireless communications. In mission critical or life sustaining applications, the potential consequences of disabling Bluetooth needs to be assessed along with an assessment of risk based on the environment in which the Bluetooth enabled device is being used. In addition, the Bluetooth protocol has a peer to peer wireless transmission range of 10-100 meters in many common mobile devices; this aspect should be taken into account when applying mitigation measures.
References
https://www.kb.cert.org/vuls/id/240311
https://source.android.com/security/bulletin/2017-09-01
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14315
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628
https://access.redhat.com/security/vulnerabilities/blueborne
https://access.redhat.com/security/cve/CVE-2017-1000250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
https://access.redhat.com/security/cve/CVE-2017-1000251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251