Issue metadata
Sign in to add a comment
|
CVE-2017-1000251: CrOS: Security: Blueborne vulnerabilities in bluetooth stacks |
|||||||||||||||||||||||||||||||||||||||||||||||||
Issue descriptionArmis Lab found few security vulnerabilities in bluetooth stacks as described in https://drive.google.com/file/d/0B7tynhulKyCYamp0Q3FoamJ1TFk/view Need to determine which ChromeOS devices are affected.
,
Sep 12 2017
,
Sep 12 2017
,
Sep 12 2017
The paper references kernel bugs, specifically CVE-2017-1000251. I have a hard time finding information on that. groeck@ are you aware of any patches for this? Android probably has patched this already... snanda, dmitrygr: Who's owning bluetooth in Chrome OS these days? Can you help route to somebody to work through the writeup (see comment #1) and see whether any of the vulnerabilities listed there are present in Chrome OS userspace?
,
Sep 12 2017
Setting severity-high and impact-stable for now - might downgrade this if it turns out there are significant hurdles/restrictions to get remote code execution via this.
,
Sep 12 2017
,
Sep 12 2017
Dropping OS=Linux since we're not on the hook to maintain the BT stack for Chrome/Linux.
,
Sep 12 2017
Upstream commit e860d2c904d1 ("Bluetooth: Properly check L2CAP config option output buffer length")
,
Sep 12 2017
,
Sep 12 2017
,
Sep 12 2017
Adding release folks FYI. This is a pretty urgent security bug which we should push a fix for rather sooner than later.
,
Sep 12 2017
This has missed the Dev we are doing today, but if we can land this into 61 today we can make the Dev on Thursday. If we are super confident in this, we are doing a 60 stable tomorrow for other reasons, but I am thinking that might be to aggressive. On the other hand if we miss the 60 tomorrow, it might not get to stable until October 5th for 61.
,
Sep 12 2017
Correction, the '61 beta' on Thursday.
,
Sep 12 2017
Needs to get approval first. Feel free to update tags if this should go into M-60, otherwise I'll target M-61.
,
Sep 12 2017
,
Sep 12 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 12 2017
Consider it approved for 61 and 62. We can hold on 60 for now.
,
Sep 12 2017
Note: The blueborne paper lists a couple more vulnerabilities. I've broken out bugs for the ones potentially relevant to Chrome OS. Specifically: Linux Bluetooth stack (BlueZ) information Leak vulnerability - CVE-2017-1000250 -> issue 764477 SSP -> ejcaruso@ investigating, see issue 764485 BNEP / PAN (CVE-2017-0783 & CVE-2017-8628) -> network profiles are disabled in Chrome OS bluez build config per https://chromium-review.googlesource.com/c/chromiumos/third_party/bluez/+/424916 and https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/424873
,
Sep 12 2017
The only POC code we have had for this so far is tailored for Android (Nexus 5 in particular), but details can be found here: https://b.corp.google.com/issues/37500386#comment31
,
Sep 12 2017
,
Sep 12 2017
In case necessary here are all associated Android bugs: CVE-2017-0781 (b/63146105) Critical, remote code execution Android specific vulnerability that could enable an attacker to obtain remote code execution as a privileged process over Bluetooth with no user interaction. CVE-2017-0782 (b/63146237) Critical, remote code execution Android specific vulnerability that could enable an attacker to obtain remote code execution as a privileged process over Bluetooth with no user interaction. CVE-2017-0783 (b/63145701) High, information disclosure Bluetooth spec deficiency (with PAN) that could enable a remote attacker to man-in-the-middle. CVE-2017-0785 (b/63146698) Moderate, information disclosure Information leak with the SDP server - Armis does not even mention this in their disclosure.
,
Sep 12 2017
SSP looks to be a non-issue for us.
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/517fccbf5a6873c8bdb95c9ca8239b5a038e96a3 commit 517fccbf5a6873c8bdb95c9ca8239b5a038e96a3 Author: Ben Seri <ben@armis.com> Date: Tue Sep 12 23:17:09 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663523 [modify] https://crrev.com/517fccbf5a6873c8bdb95c9ca8239b5a038e96a3/net/bluetooth/l2cap_core.c
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/43f8ce46aebec0ab641d2e5f43db4bd5c0abee40 commit 43f8ce46aebec0ab641d2e5f43db4bd5c0abee40 Author: Ben Seri <ben@armis.com> Date: Tue Sep 12 23:17:10 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663522 [modify] https://crrev.com/43f8ce46aebec0ab641d2e5f43db4bd5c0abee40/net/bluetooth/l2cap_core.c
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e2b42958590d1d86388a7a09716d133947ef3228 commit e2b42958590d1d86388a7a09716d133947ef3228 Author: Ben Seri <ben@armis.com> Date: Tue Sep 12 23:17:08 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663611 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/e2b42958590d1d86388a7a09716d133947ef3228/net/bluetooth/l2cap_core.c
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d7a82d1e7965abb479895b7de880a034a9eccde3 commit d7a82d1e7965abb479895b7de880a034a9eccde3 Author: Ben Seri <ben@armis.com> Date: Tue Sep 12 23:17:06 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663520 [modify] https://crrev.com/d7a82d1e7965abb479895b7de880a034a9eccde3/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4713077c684160bdbf776cf5783cd12e97d46f30 commit 4713077c684160bdbf776cf5783cd12e97d46f30 Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:19:24 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/664047 [modify] https://crrev.com/4713077c684160bdbf776cf5783cd12e97d46f30/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/69b864ea8eb14235d2a8523958ee7684520bbc2d commit 69b864ea8eb14235d2a8523958ee7684520bbc2d Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:19:29 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/664045 [modify] https://crrev.com/69b864ea8eb14235d2a8523958ee7684520bbc2d/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ad2186d7f1abbae1e7aaa4b50ee3206eee6bc6b1 commit ad2186d7f1abbae1e7aaa4b50ee3206eee6bc6b1 Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:19:33 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/664049 [modify] https://crrev.com/ad2186d7f1abbae1e7aaa4b50ee3206eee6bc6b1/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f5d6ebffc54e22a1323265edd1463ff48c396ac3 commit f5d6ebffc54e22a1323265edd1463ff48c396ac3 Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:19:37 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663829 [modify] https://crrev.com/f5d6ebffc54e22a1323265edd1463ff48c396ac3/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/11455e6dc31cc4ad4cd2495f9f859ed5fb5ae98c commit 11455e6dc31cc4ad4cd2495f9f859ed5fb5ae98c Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:19:41 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/664046 [modify] https://crrev.com/11455e6dc31cc4ad4cd2495f9f859ed5fb5ae98c/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f78b16efdc37a96a8ad559f86c0eebea0ec2d046 commit f78b16efdc37a96a8ad559f86c0eebea0ec2d046 Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:19:45 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/664048 [modify] https://crrev.com/f78b16efdc37a96a8ad559f86c0eebea0ec2d046/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5e9513605e979b3ad09d01184292820b434d9205 commit 5e9513605e979b3ad09d01184292820b434d9205 Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:19:49 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663830 [modify] https://crrev.com/5e9513605e979b3ad09d01184292820b434d9205/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5adaf887034b87f6cf973427da7dfc870db3ab0a commit 5adaf887034b87f6cf973427da7dfc870db3ab0a Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:21:58 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663831 [modify] https://crrev.com/5adaf887034b87f6cf973427da7dfc870db3ab0a/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3e94b6fa16c6a962b1dbe4aef8a74ee25b745bf7 commit 3e94b6fa16c6a962b1dbe4aef8a74ee25b745bf7 Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:22:02 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/664050 [modify] https://crrev.com/3e94b6fa16c6a962b1dbe4aef8a74ee25b745bf7/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/db4b5667401fc444ae46388fef9c21d6e5abc75a commit db4b5667401fc444ae46388fef9c21d6e5abc75a Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 02:22:05 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/664051 [modify] https://crrev.com/db4b5667401fc444ae46388fef9c21d6e5abc75a/net/bluetooth/l2cap_core.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/566a7b6d3b99b154c5a48b3fcd4a5100a6c0a4c1 commit 566a7b6d3b99b154c5a48b3fcd4a5100a6c0a4c1 Author: Ben Seri <ben@armis.com> Date: Wed Sep 13 04:37:10 2017 UPSTREAM: Bluetooth: Properly check L2CAP config option output buffer length Validate the output buffer length for L2CAP config requests and responses to avoid overflowing the stack buffer used for building the option blocks. BUG= chromium:764425 TEST=Build and run Change-Id: I62362e78a73e7f14c10b6cbbefc6b44ce6bdbcc8 Cc: stable@vger.kernel.org Signed-off-by: Ben Seri <ben@armis.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e860d2c904d1) Reviewed-on: https://chromium-review.googlesource.com/663521 [modify] https://crrev.com/566a7b6d3b99b154c5a48b3fcd4a5100a6c0a4c1/net/bluetooth/l2cap_core.c
,
Sep 13 2017
,
Sep 13 2017
,
Sep 19 2017
Putting this on Josafat's radar for an M60 respin.
,
Sep 20 2017
,
Sep 20 2017
,
Sep 25 2017
,
Sep 28 2017
Issue 769669 has been merged into this issue.
,
Oct 18 2017
,
Dec 7 2017
,
Dec 20 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2018
,
Mar 7 2018
,
Apr 19 2018
,
May 30 2018
,
Jul 25
,
Jul 28
,
Sep 5
,
Oct 17
,
Dec 5
,
Dec 6
,
Dec 13
|
||||||||||||||||||||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||||||||||||||||||||||||||
Comment 1 by nettesh...@google.com
, Sep 12 2017