#VU47546 Improper access control in Linux kernel - CVE-2020-12352
Vulnerability identifier: #VU47546
Vulnerability risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Local network
Exploit availability: Yes
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in BlueZ implementation in Linux kernel. A remote attacker on the local network can pass specially crafted input to the application and gain access to sensitive information.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Linux kernel: before 5.9.0, 5.9.0
External links
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ec905d1e160a33b2e210e45ad30445ef26ce0e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
