The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or RCE (CVE-2020-27153)
bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c (CVE-2022-39177)
Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line function used in some userland utilities. (CVE-2016-7837)
In BlueZ 5.42, a buffer over-read was observed in l2cap_dump function in tools/parser/l2cap.c source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
(CVE-2016-9797)
In BlueZ 5.42, a use-after-free was identified in conf_opt function in tools/parser/l2cap.c source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
(CVE-2016-9798)
In BlueZ 5.42, a buffer overflow was observed in pklg_read_hci function in btsnoop.c source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. (CVE-2016-9799)
In BlueZ 5.42, a buffer overflow was observed in pin_code_reply_dump function in tools/parser/hci.c source file. The issue exists because pin array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame pin_code_reply_cp *cp parameter. (CVE-2016-9800)
In BlueZ 5.42, a buffer overflow was observed in set_ext_ctrl function in tools/parser/l2cap.c source file when processing corrupted dump file. (CVE-2016-9801)
In BlueZ 5.42, a buffer over-read was identified in l2cap_packet function in monitor/packet.c source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.
(CVE-2016-9802)
In BlueZ 5.42, an out-of-bounds read was observed in le_meta_ev_dump function in tools/parser/hci.c source file. This issue exists because ‘subevent’ (which is used to read correct element from ‘ev_le_meta_str’ array) is overflowed. (CVE-2016-9803)
In BlueZ 5.42, a buffer overflow was observed in commands_dump function in tools/parser/csr.c source file. The issue exists because commands array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame frm->ptr parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. (CVE-2016-9804)
In BlueZ 5.42, a buffer overflow was observed in read_n function in tools/hcidump.c source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
(CVE-2016-9917)
In BlueZ 5.42, an out-of-bounds read was identified in packet_hexdump function in monitor/packet.c source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. (CVE-2016-9918)
Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. (CVE-2020-26558)
A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4. An attacker in a privileged network position may be able to intercept Bluetooth traffic.
(CVE-2020-9770)
The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the ‘offset’ variable before using it as an index into an array for reading. (CVE-2021-3588)
bluetoothd from bluez incorrectly saves adapters’ Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers. (CVE-2021-3658)
BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. (CVE-2021-41229)
A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this issue. VDB-211086 is the identifier assigned to this vulnerability. (CVE-2022-3563)
A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211936. (CVE-2022-3637)
BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)
BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19908. (CVE-2023-27349)
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue. (CVE-2023-45866)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory bluez. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(196439);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2016-7837",
"CVE-2016-9797",
"CVE-2016-9798",
"CVE-2016-9799",
"CVE-2016-9800",
"CVE-2016-9801",
"CVE-2016-9802",
"CVE-2016-9803",
"CVE-2016-9804",
"CVE-2016-9917",
"CVE-2016-9918",
"CVE-2020-9770",
"CVE-2020-26558",
"CVE-2020-27153",
"CVE-2021-3588",
"CVE-2021-3658",
"CVE-2021-41229",
"CVE-2022-3563",
"CVE-2022-3637",
"CVE-2022-39176",
"CVE-2022-39177",
"CVE-2023-27349",
"CVE-2023-45866"
);
script_name(english:"RHEL 7 : bluez (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or
RCE (CVE-2020-27153)
- bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and
invalid capabilities can be processed in profiles/audio/avdtp.c (CVE-2022-39177)
- Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line
function used in some userland utilities. (CVE-2016-7837)
- In BlueZ 5.42, a buffer over-read was observed in l2cap_dump function in tools/parser/l2cap.c source
file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
(CVE-2016-9797)
- In BlueZ 5.42, a use-after-free was identified in conf_opt function in tools/parser/l2cap.c source
file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
(CVE-2016-9798)
- In BlueZ 5.42, a buffer overflow was observed in pklg_read_hci function in btsnoop.c source file. This
issue can be triggered by processing a corrupted dump file and will result in btmon crash. (CVE-2016-9799)
- In BlueZ 5.42, a buffer overflow was observed in pin_code_reply_dump function in tools/parser/hci.c
source file. The issue exists because pin array is overflowed by supplied parameter due to lack of
boundary checks on size of the buffer from frame pin_code_reply_cp *cp parameter. (CVE-2016-9800)
- In BlueZ 5.42, a buffer overflow was observed in set_ext_ctrl function in tools/parser/l2cap.c source
file when processing corrupted dump file. (CVE-2016-9801)
- In BlueZ 5.42, a buffer over-read was identified in l2cap_packet function in monitor/packet.c source
file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.
(CVE-2016-9802)
- In BlueZ 5.42, an out-of-bounds read was observed in le_meta_ev_dump function in tools/parser/hci.c
source file. This issue exists because 'subevent' (which is used to read correct element from
'ev_le_meta_str' array) is overflowed. (CVE-2016-9803)
- In BlueZ 5.42, a buffer overflow was observed in commands_dump function in tools/parser/csr.c source
file. The issue exists because commands array is overflowed by supplied parameter due to lack of
boundary checks on size of the buffer from frame frm->ptr parameter. This issue can be triggered by
processing a corrupted dump file and will result in hcidump crash. (CVE-2016-9804)
- In BlueZ 5.42, a buffer overflow was observed in read_n function in tools/hcidump.c source file. This
issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
(CVE-2016-9917)
- In BlueZ 5.42, an out-of-bounds read was identified in packet_hexdump function in monitor/packet.c
source file. This issue can be triggered by processing a corrupted dump file and will result in btmon
crash. (CVE-2016-9918)
- Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby
man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication
procedure) by reflection of the public key and the authentication evidence of the initiating device,
potentially permitting this attacker to complete authenticated pairing with the responding device using
the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit
at a time. (CVE-2020-26558)
- A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS
13.4. An attacker in a privileged network position may be able to intercept Bluetooth traffic.
(CVE-2020-9770)
- The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset'
variable before using it as an index into an array for reading. (CVE-2021-3588)
- bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and
restores it when powered up. If a device is powered down while discoverable, it will be discoverable when
powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby
attackers. (CVE-2021-3658)
- BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in
sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates
and will not be freed. This will cause a memory leak over time. The data can be a very large object, which
can be caused by an attacker continuously sending sdp packets and this may cause the service of the target
device to crash. (CVE-2021-41229)
- A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function
read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation
of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this
issue. VDB-211086 is the identifier assigned to this vulnerability. (CVE-2022-3563)
- A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects
the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to
denial of service. It is recommended to apply a patch to fix this issue. The identifier of this
vulnerability is VDB-211936. (CVE-2022-3637)
- BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because
profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)
- BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This
vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected
installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must
connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The
issue results from the lack of proper validation of user-supplied data, which can result in a write past
the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context
of root. Was ZDI-CAN-19908. (CVE-2023-27349)
- Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and
establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of
HID messages when no user interaction has occurred in the Central role to authorize such access. An
example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556
mitigation would have already addressed this Bluetooth HID Hosts issue. (CVE-2023-45866)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27153");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-39177");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-gnome");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-hcidump");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bluez-utils");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'bluez', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'bluez'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bluez');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7837
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9797
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9798
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9799
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9800
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9801
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9802
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9803
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9804
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9917
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9918
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26558
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27153
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9770
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3588
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3658
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41229
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3563
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3637
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39176
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27349
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45866