bluetooth always in discoverable mode (security issue)

Bug #1791405 reported by Jean-Christophe Baptiste
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bluez (Ubuntu)
Medium
Unassigned
gnome-bluetooth (Fedora)
Won't Fix
Undecided
gnome-bluetooth (Ubuntu)
Medium
Unassigned
Bionic
Medium
Unassigned
Cosmic
Medium
Unassigned
Disco
Medium
Unassigned
Focal
Medium
Unassigned

Bug Description

Excerpt from a similar report (https://bugzilla.redhat.com/show_bug.cgi?id=1602985) :

Opening the Bluetooth settings will make the device discoverable again, but does not make the device undiscoverable after the settings are closed (this is not intended behavior; devices should only be discoverable when the bluetooth settings UI is open).

There seem to be a merge request :

https://gitlab.gnome.org/GNOME/gnome-bluetooth/merge_requests/1

Could you please merge it asap, it should be treated as a security issue IMHO.

CVE References

Revision history for this message
In , Benjamin (benjamin-redhat-bugs) wrote :

Description of problem:

Bluetooth is always discoverable; when pairing a new device on my phone, I noticed my laptop, but I did not have the GNOME Bluetooth settings open at the time.

Version-Release number of selected component (if applicable):

3.28.0-1.fc28

How reproducible:

Always

Steps to Reproduce:
1. Boot up, log in
2. Scan for bluetooth devices with a separate computer

Actual results:

Machine name is displayed on phone

Expected results:

Machine name should not be displayed (should not be discoverable)

Additional info:

I can turn off discoverability from a term using bluetoothctl.

It seems that opening the Bluetooth settings will make the device discoverable again, but does not make the device undiscoverable after the settings are closed (this is not intended behavior; devices should only be discoverable when the bluetooth settings UI is open).

Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :
Download full text (3.6 KiB)

(In reply to Benjamin Kreuter from comment #0)
> It seems that opening the Bluetooth settings will make the device
> discoverable again, but does not make the device undiscoverable after the
> settings are closed (this is not intended behavior; devices should only be
> discoverable when the bluetooth settings UI is open).

It does turn it off. Except that bluetoothd and/or the kernel will fail to make it undiscoverable.

Sender ":1.13387" is the Bluetooth settings. See how it requests for "Discoverable" to be switched off, receives a response to the call saying that Discoverable is now off, but receives a signal that Discoverable changed back to "on" after a short time.

This is a dbus-monitor capture on exit:
method call time=1531995892.499232 sender=:1.13387 -> destination=:1.4 serial=94 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=Set
   string "org.bluez.Adapter1"
   string "Discoverable"
   variant boolean false
method call time=1531995892.499459 sender=:1.13387 -> destination=:1.4 serial=95 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=Set
   string "org.bluez.Adapter1"
   string "DiscoverableTimeout"
   variant uint32 0
method call time=1531995892.499485 sender=:1.13387 -> destination=org.freedesktop.DBus serial=96 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender=':1.4'"
method call time=1531995892.499556 sender=:1.13387 -> destination=org.freedesktop.DBus serial=97 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender='org.freedesktop.DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',path='/org/freedesktop/DBus',arg0='org.bluez'"
method return time=1531995892.499563 sender=org.freedesktop.DBus -> destination=:1.13387 serial=69 reply_serial=97
method call time=1531995892.499610 sender=:1.13387 -> destination=org.freedesktop.DBus serial=98 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=RemoveMatch
   string "type='signal',sender='org.bluez',interface='org.freedesktop.DBus.ObjectManager',path='/'"
method return time=1531995892.499616 sender=org.freedesktop.DBus -> destination=:1.13387 serial=70 reply_serial=98
method return time=1531995892.499665 sender=:1.4 -> destination=:1.13387 serial=379 reply_serial=95
signal time=1531995892.523461 sender=:1.4 -> destination=(null destination) serial=380 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=PropertiesChanged
   string "org.bluez.Adapter1"
   array [
      dict entry(
         string "DiscoverableTimeout"
         variant uint32 0
      )
   ]
   array [
   ]
method return time=1531995892.523489 sender=:1.4 -> destination=:1.13387 serial=381 reply_serial=94
signal time=1531995892.533281 sender=:1.4 -> destination=(null destination) serial=382 path=/org/bluez/hci0; interface=org.freedesktop.DBus.Properties; member=PropertiesChanged
   string "org.bluez.Adapter1"
   array [
      dict entry(
         string "Discoverable"
         variant boolean false
      )
   ]
   array [
   ]
signal time=1531995892.551915 sender=:1....

Read more...

Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :

Making this call, without waiting for the reply, always fails:
dbus-send --system --dest=org.bluez /org/bluez/hci0 org.freedesktop.DBus.Properties.Set string:org.bluez.Adapter1 string:Discoverable variant:boolean:false ; dbus-send --system --dest=org.bluez /org/bluez/hci0 org.freedesktop.DBus.Properties.Set string:org.bluez.Adapter1 string:DiscoverableTimeout variant:uint32:0

The same call with the --print-reply argument to dbus-send will however work. I think bluez might be ignoring the calls if the caller is going to disappear.

I monitored the state of "Discoverable" and "DiscoverableTimeout" using bluetoothctl, after setting Discoverable to on.

Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :

The D-Bus end-points for those 2 properties are:
property_set_discoverable and property_set_discoverable_timeout
in src/adapter.c

bluetoothd, to change those properties, calls out asynchronously to the kernel:
property_set_mode -> async stuff -> property_set_mode_complete -> new_settings_callback() sets adapter->current_settings

And to those used to async programming, the problem should be obvious. In
property_set_discoverable_timeout():
        if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE)
                set_discoverable(adapter, 0x01, adapter->discoverable_timeout);

So if a discoverable setting is pending, adapter->current_settings isn't set to the new value, and discoverable is *reset* to on.

This is a definite bug in bluez, though work-aroundable in gnome-bluetooth.

Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :

Worked-around in gnome-bluetooth 3.28:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89

The problem would not occur in 3.26 as D-Bus calls were synchronous, and we would DiscoverableTimeout if Discoverable was set:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/blob/gnome-3-26/lib/bluetooth-client.c#L1118

Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :

(In reply to Bastien Nocera from comment #4)
> The problem would not occur in 3.26 as D-Bus calls were synchronous, and we
> would DiscoverableTimeout if Discoverable was set:

we would "not set" DiscoverableTimeout if...

Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :
Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :
Revision history for this message
In , Bastien (bastien-redhat-bugs) wrote :

(In reply to Bastien Nocera from comment #7)
> And this set:
> https://marc.info/?l=linux-bluetooth&m=153261464929156&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465129157&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465229159&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465329160&w=2
> https://marc.info/?l=linux-bluetooth&m=153261465529161&w=2
> when used, should completely avoid the Discoverable state being on when the
> Settings are closed.

The gnome-bluetooth patches to use this new functionality, when available:
https://gitlab.gnome.org/GNOME/gnome-bluetooth/merge_requests/1

Alex Murray (alexmurray)
information type: Private Security → Public Security
affects: apport (Ubuntu) → gnome-bluetooth (Ubuntu)
Changed in gnome-bluetooth (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in gnome-bluetooth (Fedora):
importance: Unknown → Undecided
status: Unknown → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

That has been fixed in bluez upstream but there has been no new version since

affects: gnome-bluetooth (Ubuntu) → bluez (Ubuntu)
Changed in bluez (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Looks like the upstream fix is gnome-bluetooth, not bluez?

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

And the gnome-bluetooth fix was released in 3.28.2.

affects: bluez (Ubuntu) → gnome-bluetooth (Ubuntu)
Changed in gnome-bluetooth (Ubuntu):
status: Fix Committed → Fix Released
Changed in gnome-bluetooth (Ubuntu Cosmic):
status: New → Fix Released
importance: Undecided → Medium
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

And it seems to be in bionic too:

gnome-bluetooth (3.28.0-2ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: work around bluetoothd discoverability issue
    - debian/patches/CVE-2018-10910.patch: fix Discoverable being reset
      when turned off in lib/bluetooth-client.c.
    - CVE-2018-10910

 -- Marc Deslauriers <email address hidden> Fri, 11 Jan 2019 14:41:45 -0500

Changed in gnome-bluetooth (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Although the gnome-bluetooth "fix" sounds like a workaround. So re-adding a bluez task.

no longer affects: gnome-bluetooth (Ubuntu Ee-series)
Changed in gnome-bluetooth (Ubuntu Bionic):
importance: Undecided → Medium
Revision history for this message
Sebastien Bacher (seb128) wrote :

@Daniel, the urls Bastien shared on the redhat bug are for bluez, he states on the gitlab bug that it's the proper fix where the gnome-bluetooth are improvements for new features to work better

Revision history for this message
In , bcotton (bcotton-redhat-bugs) wrote :

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 28 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Revision history for this message
In , bcotton (bcotton-redhat-bugs) wrote :

Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Changed in gnome-bluetooth (Fedora):
status: Confirmed → Won't Fix
no longer affects: bluez (Ubuntu Bionic)
no longer affects: bluez (Ubuntu Cosmic)
no longer affects: bluez (Ubuntu Disco)
Changed in bluez (Ubuntu):
status: New → Confirmed
Changed in bluez (Ubuntu Focal):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in bluez (Ubuntu Eoan):
status: Fix Committed → Triaged
importance: Undecided → Medium
no longer affects: bluez (Ubuntu Eoan)
tags: added: fixed-upstream
tags: removed: fixed-upstream
no longer affects: bluez (Ubuntu Focal)
Revision history for this message
Sebastien Bacher (seb128) wrote :

(removing the focal targetting, there is no assigne nor sign it deserve particular handling)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.