Out-of-bounds read in bluez (Alpine package)

1) Out-of-bounds read

EUVDB-ID: #VU8442

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2017-1000250

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The weakness exists in the bluetoothd implementation of the Service Discovery Protocol (SDP) due to out-of-bounds heap read condition in the service_search_attr_req function. An adjacent attacker send specially crafted requests that has Bluetooth enabled in the SDP server and access sensitive information, such as encryption keys, from bluetoothd process memory.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

bluez (Alpine package): 5.36-r0

CPE2.3

• cpe:2.3:o:alpine:bluez_alpine_package:5.36-r0:*:*:*:*:alpine_linux:*:3.2

External links

https://git.alpinelinux.org/aports/commit/?id=46837b153a5720658e8443c4ff65699fa726c120
https://git.alpinelinux.org/aports/commit/?id=80a0c6bb547a34e7791d71f016b5fc120b8f8c2d
https://git.alpinelinux.org/aports/commit/?id=877730e30e4f236f345939cdf9e4a16665631a12
https://git.alpinelinux.org/aports/commit/?id=c8c49b3552b060f6eeb26a5c29891cfe711c454b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.