Bluetooth Critical Vulnerabilities

Number: AL17-011
Date: 13 September 2017

Purpose

The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for multiple critical vulnerabilities affecting a broad range of Bluetooth enabled devices. Security researchers have named this group of Bluetooth vulnerabilities "BlueBorne".

Assessment

CCIRC has become aware of multiple critical vulnerabilities in the implementation of the Bluetooth stack in multiple versions of Android, Apple iOS, Microsoft Windows and Linux based products, among others. The vulnerabilities could allow for a malicious threat actor to execute code, intercept wireless communications, abuse device functionality and/or perform man-in-the-middle attacks. While no known active exploitation has been reported, a working proof of concept is available.

Open source reporting describing the vulnerabilities suggests that exploitation does not require the targeted device to be set on discoverable mode or paired to the threat actor's device; furthermore, authorization is not required by the end user nor does it require authentication for the connection to be made.

CCIRC recommends information security teams to monitor for future vendor supplied updates and apply relevant security patches as they become available. Below is a list of the potentially affected products and their relevant versions:

Android
Android phones, tablets, and wearables of all versions are affected by the four following vulnerabilities:

Android devices using Bluetooth Low Energy only are not affected.

The vulnerabilities affecting Marshmallow (6.0) and Nougat (7.0) Android devices were addressed in Google's Android Security Bulletin released September 12th, 2017.

Apple
The following vulnerability affecting iPhone, iPad and iPod touch devices with iOS 7 through 9 and Apple TV devices with version 7.2.2 and lower:

The vulnerability affecting Apple devices has been resolved in iOS 10, released in September 2016.

Microsoft
Windows versions 10, 8.1, 7, Server 2016 and Server 2008 are affected by the following vulnerability:

The vulnerability affecting Microsoft devices has been resolved by a security update released September 12, 2017.

Linux
Linux devices running BlueZ 5.46 and earlier are affected by:

The vulnerability affecting Red Hat Enterprise Linux 7 and 6 devices has been resolved by a security update released by Red Hat on September 12, 2017.

Linux kernel versions 3.3-rc1 and up to and including 4.13.1 are affected by the following:

Red Hat Enterprise Linux 5 is not affected.

The vulnerability affecting Red Hat Enterprise Linux 7, 6 and MRG 2 devices has been resolved by a security update released by Red Hat on September 12, 2017.

Suggested action

CCIRC recommends those utilizing Bluetooth enabled products to consult the vendor for specific risk mitigation advice and patches available. In non-critical applications, CCIRC recommends considering disabling Bluetooth wireless communications. In mission critical or life sustaining applications, the potential consequences of disabling Bluetooth needs to be assessed along with an assessment of risk based on the environment in which the Bluetooth enabled device is being used. In addition, the Bluetooth protocol has a peer to peer wireless transmission range of 10-100 meters in many common mobile devices; this aspect should be taken into account when applying mitigation measures.

References

https://www.kb.cert.org/vuls/id/240311
https://source.android.com/security/bulletin/2017-09-01
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14315
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628
https://access.redhat.com/security/vulnerabilities/blueborne
https://access.redhat.com/security/cve/CVE-2017-1000250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
https://access.redhat.com/security/cve/CVE-2017-1000251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: