BlueBorne: Bluetooth Attack Vector

A new attack vector called ‘BlueBorne‘ has been discovered. The name is a play on the word ‘airborne’ as it allows attackers to take over devices on air-gapped networks. This attack was disclosed by Armis Lab. The vulnerabilities exploited by this attack affects Android, Linux, Windows, and iOS version less than 10. Targets can be compromised regardless of the Bluetooth version. Armis Labs has disclosed over 8 Zero Days, 4 of which are critical vulnerabilities that could be leveraged for lateral movement.

High Risk Factors
– Does not require any pairing.
– No user interaction required.
– On most operating systems Bluetooth related processes have high privileges.
– Very big attack surface, over 8 billion Bluetooth capable devices.
– Could be used to build botnets.

The table below list all the CVE’s BlueBorne targets:

OS CVE Description
Android CVE-2017-0781 Remote Code Execution Vulnerability
CVE-2017-0782 Remote Code Execution Vulnerability
CVE-2017-0785 Information Disclosure Vulnerability
CVE-2017-0783 Man-in-The-Middle attack (Bluetooth Pineapple)
Windows CVE-2017-8628 Microsoft Bluetooth Driver Spoofing Vulnerability
Linux CVE-2017-1000250 Information Disclosure Vulnerability due to improper processing of SDP search attribute requests.
CVE-2017-1000251 Remote code execution in kernel space due to stack overflow
iOS CVE-2017-14315 Heap overflow in implementation of LEAP causing memory corruption.

Vulnerability and Attack Capability

For most of the attacks we need to locate an active Bluetooth connections, obtains the targets’s MAC address and determine the operating system of the target machine. Based on this information we can create our exploit.

1) Information Leak Vulnerability – CVE-2017-0785: 
SDP (Service Discovery Protocol) server, it enables the device to identify other Bluetooth services in its range. An attacker can send crafted request packets to the target, this causes it to disclose memory bits in response packets. It is similar to Heartbleed vulnerability.

2) Remote Code Execution Vulnerability – CVE-2017-0781:
A memory corruption can be triggered in the Bluetooth Network Encapsulation Protocol (BNEP) service, this service is used for sharing internet over a Bluetooth connection. The memory corruption can be used to achieve code execution. This attack does not require any user interaction, authentication or pairing

3) Remote Code Execution vulnerability  – CVE-2017-0782:
A memory corruption can be triggered in the Personal Area Networking (PAN) profile of BNEP service. This component is responsible for establishing an IP based network connections. The memory corruption can be used to achieve code execution. This attack does not require any user interaction, authentication or pairing

4) Bluetooth Pineapple – Man in The Middle attack – CVE-2017-0783:
A vulnerability in the PAN profile of the Bluetooth stack enables the attacker to create a network interface on the victim’s device and transmit all communication over this network interface.

5) Bluetooth Pineapple – Man in The Middle attack – CVE-2017-8628:
Similar to CVE-2017-8628 it enables an attacker to create a network interface on the victim’s device and transmit all communication over this network interface.

6) Information leak vulnerability – CVE-2017-1000250):
The SDP server discloses memory bit in response packets when it receives a special crafted packet from an attacker.

7) BlueZ – CVE-2017-1000251:
A stack overflow vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol) causes a memory corruption.

8) Remote code execution via Apple’s Low Energy Audio Protocol (LEAP) – CVE-2017-14315:
LEAP is an Apple proprietary Bluetooth audio streaming protocol for headsets, Siri etc, it is vulnerable to heap overflows. A large audio command sent to a targeted device causes a memory corruption due to improper validation of the received command.

Mitigation: 

– We request organization to scan their networks with the QIDs listed below to detect vulnerable machines and patch them immediately.

CVE QID Descritpion
CVE-2017-1000251 157555 Oracle Enterprise Linux Security Update for kernel (ELSA-2017-2681)
157553 Oracle Enterprise Linux Security Update for ELSA-2017-2679-1 Important: Oracle Linux 7 kernel (ELSA-2017-2679)
236488 Red Hat Update for kernel (RHSA-2017:2682) (Blueborne)
236487 Red Hat Update for kernel (RHSA-2017:2680) (Blueborne)
236486 Red Hat Update for kernel (RHSA-2017:2679) (Blueborne)
236485 Red Hat Update for kernel (RHSA-2017:2681) (Blueborne)
CVE-2017-1000250 157554 Oracle Enterprise Linux Security Update for bluez (ELSA-2017-2685)
176148 Debian Security Update for bluez (DSA 3972-1)
236489 Red Hat Update for bluez (RHSA-2017:2685) (Blueborne)
196902 Ubuntu Security Notification for Bluez Vulnerability (USN-3413-1) (BlueBorne)
CVE-2017-8628 91408 Microsoft Windows Security Update September 2017

 Google has issued a patch. It will be available for Nougat (7.0), Marshmallow (6.0)
Microsoft has addressed this vulnerability in their September 2017 patches. The advisory has listed all the operating systems affected by BlueBorne.
Apple has addressed this vulnerability in iOS version 10 and Apple TV version above 7.2.2.
Armis Labs have released an Android App “BlueBorne Vulnerability Scanner” to detect if your device or if devices within range are at risk of BlueBorne.

Update: PoC for targeting CVE-2017-1000251

Please continue to follow ThreatProtect for more details on this vulnerability.

References:
The IoT Attack Vector “BlueBorne” Exposes Almost Every Connected Device
Android Security Bulletin—September 2017
CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *