Ubuntu
bluez package

The gatt protocol has out-of-bounds read that leads to information leakage

Bug #1926548 reported by ziming zhang
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bluez Utilities
Fix Released
Unknown
bluez (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Groovy
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It seems that this vulnerability was silently fixed in the latest bluez5.8, and the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not verify the offset parameter
The vulnerability code is as follows

gatt-database.c

1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
     unsigned int id, uint16_t offset,
     uint8_t opcode, struct bt_att *att,
     void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? &state->cli_feat[offset]: NULL;

done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);

}
len will become very large due to integer overflow, so that a message of mtu (0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most addresses on the heap

poc is very simple, the core is this line of code

    memcpy(&buf[0],"\x0c\x0b\x00\x0d\x00",5);

0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd

this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in the latest version

Revision history for this message
ziming zhang (ezrak1e) wrote :
  • poc Edit (75.7 KiB, application/zip)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this.

Could you please confirm this is the bug and commit?:
https://github.com/bluez/bluez/issues/70

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/src/gatt-database.c?id=3a40bef49305f8327635b81ac8be52a3ca063d5a

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, please use CVE-2021-3588 for this issue. Thanks.

Revision history for this message
ziming zhang (ezrak1e) wrote :

Yes, this is the same problem, the following patch fixes this problem well

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Daniel van Vugt (vanvugt)
tags: added: fixed-in-5.56 fixed-upstream
Changed in bluez (Ubuntu Hirsute):
status: New → Fix Released
Changed in bluez (Ubuntu Impish):
status: New → Fix Released
tags: added: rls-ff-incoming
Bug Watch Updater (bug-watch-updater)
Changed in bluez:
status: Unknown → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Daniel, are you sure about that fixed-in-5.56 bug tag? I can't spot the referenced commit in the tarballs 5.55, 5.56, 5.57, 5.58 from: http://www.bluez.org/

nor in the github sources:
https://github.com/bluez/bluez/blob/master/src/gatt-database.c#L1054

nor the kernel.org sources:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/src/gatt-database.c#n1054

Thanks

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

(checks again) Yes, fixed in 5.56 looks right.

commit 3a40bef49305f8327635b81ac8be52a3ca063d5a
Author: Luiz Augusto von Dentz <email address hidden>
AuthorDate: Mon Jan 4 10:38:31 2021 -0800
Commit: Luiz Augusto von Dentz <email address hidden>
CommitDate: Tue Jan 5 10:41:27 2021 -0800

landed on master before the next tag, which was:

commit 482929f12b645f652d378fbe8d0a5b7c05d65c4f (tag: 5.56)
Author: Marcel Holtmann <email address hidden>
AuthorDate: Mon Feb 22 21:12:40 2021 +0100
Commit: Marcel Holtmann <email address hidden>
CommitDate: Mon Feb 22 21:12:40 2021 +0100

However, it doesn't look like it's present on master anymore because it was rewritten 6 hours later:

commit 6a50b6aeda78a88eafb177718109c256eec077a6
Author: Luiz Augusto von Dentz <email address hidden>
AuthorDate: Tue Jan 5 16:45:37 2021 -0800
Commit: Luiz Augusto von Dentz <email address hidden>
CommitDate: Tue Jan 5 16:55:32 2021 -0800

I assume the rewrite is free of the original bug, and so still fixed in 5.56.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Wonderful, thanks Daniel!

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

bluez (5.55-0ubuntu1.2) groovy-security; urgency=medium

  * SECURITY UPDATE: secure pairing passkey brute force
    - debian/patches/CVE-2020-26558.patch: fix not properly checking for
      secure flags in src/shared/att-types.h, src/shared/gatt-server.c.
    - CVE-2020-26558
  * SECURITY UPDATE: info disclosure via out of bounds read
    - debian/patches/CVE-2021-3588.patch: when client features is read
      check if the offset is within the cli_feat bounds in
      src/gatt-database.c.
    - CVE-2021-3588

 -- Marc Deslauriers <email address hidden> Wed, 09 Jun 2021 11:01:25 -0400

Changed in bluez (Ubuntu Groovy):
status: New → Fix Released
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

bluez (5.53-0ubuntu3.2) focal-security; urgency=medium

  * SECURITY UPDATE: secure pairing passkey brute force
    - debian/patches/CVE-2020-26558.patch: fix not properly checking for
      secure flags in src/shared/att-types.h, src/shared/gatt-server.c.
    - CVE-2020-26558
  * SECURITY UPDATE: DoS or code execution via double-free
    - debian/patches/CVE-2020-27153.patch: fix possible crash on disconnect
      in src/shared/att.c.
    - CVE-2020-27153
  * SECURITY UPDATE: info disclosure via out of bounds read
    - debian/patches/CVE-2021-3588.patch: when client features is read
      check if the offset is within the cli_feat bounds in
      src/gatt-database.c.
    - CVE-2021-3588

 -- Marc Deslauriers <email address hidden> Wed, 09 Jun 2021 11:06:38 -0400

Changed in bluez (Ubuntu Focal):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.