1 min read

Intel Mistakenly Publishes Bluetooth Zero-Day Vulnerability Details Two Months Before Linux Kernel Patches Are to Arrive

Silviu STAHIE

October 16, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Intel Mistakenly Publishes Bluetooth Zero-Day Vulnerability Details Two Months Before Linux Kernel Patches Are to Arrive

A Google security researcher warns of zero-day vulnerabilities in the Linux Bluetooth stack that allow attackers to escalate privileges to root. A fix should be available in Linux Kernel 5.10, which is still a couple of months away, which means that any devices, mobile or PC, using the BlueZ stack will be vulnerable for a while.

The BlueZ subsystem’s vulnerabilities received a name, BleedingTooth, which usually only happens with severe security issues. In this case, Intel says the input validation in BlueZ may allow an unauthenticated user to enable the escalation of privileges via adjacent access.

More to the point, security researcher Andy Nguyen, who found the issues, explained on Twitter: “BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated, remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.”

The researcher also posted a short video showing the vulnerabilities are present and work without a hitch. But this is where the real problem comes in. In the initial iteration of the advisory, Intel said the Linux kernel patches would be available with the 5.9 release, which took place a couple of days ago.

Unfortunately, they made a mistake when they coordinated the vulnerability disclosure. For unknown reasons, Intel said the patches would be available in Linux kernel 5.9, but that was apparently a mistake, and the fixes are now programmed to land in Linux kernel 5.10, which is due for the end of December.

In other words, Intel just published details on a zero-day vulnerability that will only receive fixes in two months, leaving Linux users world-wide exposed to potential attacks. One of the maintainers of the Linux kernel had this to say about the entire situation on Twitter:

“They are now claiming you need a 5.10 kernel or newer to solve this.  5.10 will be released at the end of December, 2020. Intel knows better, and knows how to do this properly, this feels malicious at this point…”

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read