A new attack vector called ‘BlueBorne‘ has been discovered. The name is a play on the word ‘airborne’ as it allows attackers to take over devices on air-gapped networks. This attack was disclosed by Armis Lab. The vulnerabilities exploited by this attack affects Android, Linux, Windows, and iOS version less than 10. Targets can be compromised regardless of the Bluetooth version. Armis Labs has disclosed over 8 Zero Days, 4 of which are critical vulnerabilities that could be leveraged for lateral movement.
High Risk Factors
– Does not require any pairing.
– No user interaction required.
– On most operating systems Bluetooth related processes have high privileges.
– Very big attack surface, over 8 billion Bluetooth capable devices.
– Could be used to build botnets.
The table below list all the CVE’s BlueBorne targets:
| OS | CVE | Description |
| Android | CVE-2017-0781 | Remote Code Execution Vulnerability |
| CVE-2017-0782 | Remote Code Execution Vulnerability | |
| CVE-2017-0785 | Information Disclosure Vulnerability | |
| CVE-2017-0783 | Man-in-The-Middle attack (Bluetooth Pineapple) | |
| Windows | CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability |
| Linux | CVE-2017-1000250 | Information Disclosure Vulnerability due to improper processing of SDP search attribute requests. |
| CVE-2017-1000251 | Remote code execution in kernel space due to stack overflow | |
| iOS | CVE-2017-14315 | Heap overflow in implementation of LEAP causing memory corruption. |
Vulnerability and Attack Capability
For most of the attacks we need to locate an active Bluetooth connections, obtains the targets’s MAC address and determine the operating system of the target machine. Based on this information we can create our exploit.
1) Information Leak Vulnerability – CVE-2017-0785:
SDP (Service Discovery Protocol) server, it enables the device to identify other Bluetooth services in its range. An attacker can send crafted request packets to the target, this causes it to disclose memory bits in response packets. It is similar to Heartbleed vulnerability.
2) Remote Code Execution Vulnerability – CVE-2017-0781:
A memory corruption can be triggered in the Bluetooth Network Encapsulation Protocol (BNEP) service, this service is used for sharing internet over a Bluetooth connection. The memory corruption can be used to achieve code execution. This attack does not require any user interaction, authentication or pairing
3) Remote Code Execution vulnerability – CVE-2017-0782:
A memory corruption can be triggered in the Personal Area Networking (PAN) profile of BNEP service. This component is responsible for establishing an IP based network connections. The memory corruption can be used to achieve code execution. This attack does not require any user interaction, authentication or pairing
4) Bluetooth Pineapple – Man in The Middle attack – CVE-2017-0783:
A vulnerability in the PAN profile of the Bluetooth stack enables the attacker to create a network interface on the victim’s device and transmit all communication over this network interface.
5) Bluetooth Pineapple – Man in The Middle attack – CVE-2017-8628:
Similar to CVE-2017-8628 it enables an attacker to create a network interface on the victim’s device and transmit all communication over this network interface.
6) Information leak vulnerability – CVE-2017-1000250):
The SDP server discloses memory bit in response packets when it receives a special crafted packet from an attacker.
7) BlueZ – CVE-2017-1000251:
A stack overflow vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol) causes a memory corruption.
8) Remote code execution via Apple’s Low Energy Audio Protocol (LEAP) – CVE-2017-14315:
LEAP is an Apple proprietary Bluetooth audio streaming protocol for headsets, Siri etc, it is vulnerable to heap overflows. A large audio command sent to a targeted device causes a memory corruption due to improper validation of the received command.
Mitigation:
– We request organization to scan their networks with the QIDs listed below to detect vulnerable machines and patch them immediately.
| CVE | QID | Descritpion |
| CVE-2017-1000251 | 157555 | Oracle Enterprise Linux Security Update for kernel (ELSA-2017-2681) |
| 157553 | Oracle Enterprise Linux Security Update for ELSA-2017-2679-1 Important: Oracle Linux 7 kernel (ELSA-2017-2679) | |
| 236488 | Red Hat Update for kernel (RHSA-2017:2682) (Blueborne) | |
| 236487 | Red Hat Update for kernel (RHSA-2017:2680) (Blueborne) | |
| 236486 | Red Hat Update for kernel (RHSA-2017:2679) (Blueborne) | |
| 236485 | Red Hat Update for kernel (RHSA-2017:2681) (Blueborne) | |
| CVE-2017-1000250 | 157554 | Oracle Enterprise Linux Security Update for bluez (ELSA-2017-2685) |
| 176148 | Debian Security Update for bluez (DSA 3972-1) | |
| 236489 | Red Hat Update for bluez (RHSA-2017:2685) (Blueborne) | |
| 196902 | Ubuntu Security Notification for Bluez Vulnerability (USN-3413-1) (BlueBorne) | |
| CVE-2017-8628 | 91408 | Microsoft Windows Security Update September 2017 |
– Google has issued a patch. It will be available for Nougat (7.0), Marshmallow (6.0)
– Microsoft has addressed this vulnerability in their September 2017 patches. The advisory has listed all the operating systems affected by BlueBorne.
– Apple has addressed this vulnerability in iOS version 10 and Apple TV version above 7.2.2.
– Armis Labs have released an Android App “BlueBorne Vulnerability Scanner” to detect if your device or if devices within range are at risk of BlueBorne.
Update: PoC for targeting CVE-2017-1000251
Please continue to follow ThreatProtect for more details on this vulnerability.
References:
The IoT Attack Vector “BlueBorne” Exposes Almost Every Connected Device
Android Security Bulletin—September 2017
CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability