Blueborne – A new attack vector endangering major operating systems (opens in new tab)

(armis.com)

131 pointssyvanen8y ago33 comments

33 comments

Google has issued a patch and notified its partners. It will be available for:
Nougat (7.0) Marshmallow (6.0)
Google has issued a security update patch and notified its partners. It was available to Android partners on August 7th, 2017, and made available as part of the September Security Update and Bulletin. We recommend that users check that Bulletin for the latest most accurate information. Android users should verify that they have the September 9, 2017 Security Patch Level

Take Nexus 5.

Opens Settings, Device information.

Android Version: 6.0.1. Great.

Android Security Level: 2016-10-5. A year old. Great.

Tap System update, force check... no update. Great.

Thank you Google.

mixedCase8y ago

I recommend you switch to Lineage OS. Once the manufacturer drops the device you're SoL.

hkothari8y ago

Am I missing something? The first line says: "Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them."

Why is the title singling out Linux? Reading through the rest of it, it seems like this is on pretty much everything.

sverige8y ago

Windows was patched in July. Google has provided a patch for Android. Therefore, Linux is the only one left to make an announcement.

codewiz8y ago

> Windows was patched in July. Google has provided a patch for Android. Therefore, Linux is the only one left to make an announcement.

For some reason, this vuln was not promptly disclosed to the Kernel security team. From the article:

  Google – Contacted on April 19, 2017
  Microsoft – Contacted on April 19, 2017
  Apple – Contacted on August 9, 2017
  Linux – Contacted August 15 and 17, 2017

Oh, and the most amusing one:

    Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach.

darklajid8y ago

My 'flagship' OnePlus 5 is vulnerable today, according to their linked app.

While I totally believe that my device will receive a patch at some point in time, the majority of devices out there will probably never receive the patch Google provided. And even this recent phone is now vulnerable to a vulnerability that was just disclosed to the public at large..

I'd say Android is pretty much in deep (or rather: deeper than usual) shit as well, not just Linux

caf8y ago

Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12.

sctb8y ago

We've updated the title from “Blueborne – Stack buffer overflow in Linux kernel Bluetooth”.

dom08y ago

Title is inaccurate, Windows, Linux and macOS are all affected.

> Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12.

> Information on Linux updates will be provided as soon as they are live.

> All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability. This vulnerability was already mitigated by Apple in iOS 10, so no new patch is needed to mitigate it. We recommend you upgrade to the latest iOS or tvOS available.

Aaron10118y ago

Based on the white paper, "Blueborne" is really a collection of distinct vulnerabilities in various implementations of the Bluetooth protocol. This is in contrast to something like the 'Over the air' vulnerability (https://googleprojectzero.blogspot.com/2017/04/over-air-expl...), which was a bug in the firmware shared by Android and iOS.

r1ch8y ago

This looks very scary, especially given how many Android devices are out there that receive few or no security updates.

padde8y ago

Agreed. And just checked - my Samsung Galaxy S8 is vulnerable, no update available. Thanks Samsung!

This one will get nasty...

wohlergehen8y ago

Well, I've been meaning to root mine and flash crDroid... This is certainly the final push.

They state 10% of all Android devices are vulnerable and won't get patches, and since the vulnearbility is arguably wormable I can't see how these devices will stay clean.

1 more reply

carlmr8y ago

At this point in time buying Samsung is just a bad decision. Have you checked out custom ROMs?

voltagex_8y ago

I got the August security update yesterday - how do I check if I'm vulnerable?

1 more reply

AlfeG8y ago

On other hand. My MiBox 3 suddenly received update.

amluto8y ago

Is there an exploit that works on systems with stack canaries? If not, then sensible Linux devices (which may well be a small minority) are not so severely affected.

I'm more worried about higher value targets like cars and things like lightbulbs that never get updated. This could be an amazing wormable bug.

Aaron10118y ago

From the white paper:

> Despite this, the Linux Kernel is lagging behind in implementing some modern mitigations in its default configuration. Both stack canaries - which protect against stack overflows, and KASLR (kernel address space layout randomization) are lacking in most devices running Linux today

It seems that they opted not to try to bypass stack canaries, probably because of the number of Android devices running old versions of Linux.

It seems inaccurate for them to categorize this as a problem with kernel itself, however. The kernel itself isn't "lagging behind" if mobile/embedded devices won't update to never versions containing newer mitigation techniques.

5travac8y ago

True. The real interesting part would have been how they bypassed ASLR, DEP and stack canaries.

dmix8y ago

I'd expect this to be a minimum requirement, especially if you're planning to make a logo and website for a Linux exploit...

Ajedi328y ago

Previous discussion: https://news.ycombinator.com/item?id=15227021

mrguyorama8y ago

For a moment I was excited, as I thought this might finally be an avenue to root my abandoned, older android phones, however, looks like the permissions given to the bluetooth service are not actually full scale root (which is reasonable of course).

I wonder whether it is still worth investigating?

kbenson8y ago

What you probably want is this combined with some privilege escalation technique. If you feel like doing the work, have at it.[1]

1: https://www.cvedetails.com/vendor/1224/Google.html

mrguyorama8y ago

If I already had a working privilege escalation strategy, wouldn't I just be able to run that from a terminal emulator program on the phone? Or using an adb shell? My problem is exactly that there is no privilege escalation vulnerability in my version of the OS (that I know of)

2 more replies

sctb8y ago

Another discussion: https://news.ycombinator.com/item?id=15227021

j / k navigate · click thread line to collapse

33 comments

glandium8y ago

Take Nexus 5.

Opens Settings, Device information.

Android Version: 6.0.1. Great.

Android Security Level: 2016-10-5. A year old. Great.

Tap System update, force check... no update. Great.

Thank you Google.

mixedCase8y ago

I recommend you switch to Lineage OS. Once the manufacturer drops the device you're SoL.

hkothari8y ago

Why is the title singling out Linux? Reading through the rest of it, it seems like this is on pretty much everything.

sverige8y ago

Windows was patched in July. Google has provided a patch for Android. Therefore, Linux is the only one left to make an announcement.

codewiz8y ago

> Windows was patched in July. Google has provided a patch for Android. Therefore, Linux is the only one left to make an announcement.

For some reason, this vuln was not promptly disclosed to the Kernel security team. From the article:

  Google – Contacted on April 19, 2017
  Microsoft – Contacted on April 19, 2017
  Apple – Contacted on August 9, 2017
  Linux – Contacted August 15 and 17, 2017

Oh, and the most amusing one:

    Samsung – Contact on three separate occasions in April, May, and June. No response was received back from any outreach.

darklajid8y ago

My 'flagship' OnePlus 5 is vulnerable today, according to their linked app.

I'd say Android is pretty much in deep (or rather: deeper than usual) shit as well, not just Linux

caf8y ago

Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12.

sctb8y ago

We've updated the title from “Blueborne – Stack buffer overflow in Linux kernel Bluetooth”.

dom08y ago

Title is inaccurate, Windows, Linux and macOS are all affected.

> Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12.

> Information on Linux updates will be provided as soon as they are live.

Aaron10118y ago

r1ch8y ago

This looks very scary, especially given how many Android devices are out there that receive few or no security updates.

padde8y ago

Agreed. And just checked - my Samsung Galaxy S8 is vulnerable, no update available. Thanks Samsung!

This one will get nasty...

wohlergehen8y ago

Well, I've been meaning to root mine and flash crDroid... This is certainly the final push.

They state 10% of all Android devices are vulnerable and won't get patches, and since the vulnearbility is arguably wormable I can't see how these devices will stay clean.

1 more reply

carlmr8y ago

At this point in time buying Samsung is just a bad decision. Have you checked out custom ROMs?

voltagex_8y ago

I got the August security update yesterday - how do I check if I'm vulnerable?

1 more reply

AlfeG8y ago

On other hand. My MiBox 3 suddenly received update.

amluto8y ago

Is there an exploit that works on systems with stack canaries? If not, then sensible Linux devices (which may well be a small minority) are not so severely affected.

I'm more worried about higher value targets like cars and things like lightbulbs that never get updated. This could be an amazing wormable bug.

Aaron10118y ago

From the white paper:

It seems that they opted not to try to bypass stack canaries, probably because of the number of Android devices running old versions of Linux.

5travac8y ago

True. The real interesting part would have been how they bypassed ASLR, DEP and stack canaries.

dmix8y ago

I'd expect this to be a minimum requirement, especially if you're planning to make a logo and website for a Linux exploit...

Ajedi328y ago

Previous discussion: https://news.ycombinator.com/item?id=15227021

mrguyorama8y ago

I wonder whether it is still worth investigating?

kbenson8y ago

What you probably want is this combined with some privilege escalation technique. If you feel like doing the work, have at it.[1]

1: https://www.cvedetails.com/vendor/1224/Google.html

mrguyorama8y ago

2 more replies

sctb8y ago

Another discussion: https://news.ycombinator.com/item?id=15227021

j / k navigate · click thread line to collapse