CVE-2020-12351
Published: 14 October 2020
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
From the Ubuntu Security Team
Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
Notes
| Author | Note |
|---|---|
| sbeattie | introduced in 4.8 cycle |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
linux-gke-5.4 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| groovy |
Does not exist
|
|
| bionic |
Pending
(5.4.0-1029.31~18.04.1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-122.124)
|
| focal |
Released
(5.4.0-52.57)
|
|
| groovy |
Not vulnerable
(5.8.0-25.26)
|
|
| trusty |
Not vulnerable
(3.11.0-12.19)
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Not vulnerable
(4.2.0-16.19)
|
|
|
Patches: Introduced by dbb50887c8f619fc5c3489783ebc3122bc134a31 |
||
|
linux-hwe Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| bionic |
Ignored
(converted to linux-hwe-5.4)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Released
(4.15.0-122.124~16.04.1)
|
|
|
linux-aws Launchpad, Ubuntu, Debian |
trusty |
Not vulnerable
(CONFIG_BT not set)
|
| xenial |
Not vulnerable
(CONFIG_BT not set)
|
|
| bionic |
Not vulnerable
(CONFIG_BT not set)
|
|
| focal |
Not vulnerable
(CONFIG_BT not set)
|
|
| groovy |
Not vulnerable
(CONFIG_BT not set)
|
|
| upstream |
Released
(5.10~rc1)
|
|
|
linux-aws-5.0 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| bionic |
Not vulnerable
(CONFIG_BT not set)
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Does not exist
|
|
|
linux-aws-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not set)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Does not exist
|
|
|
linux-aws-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not set)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Does not exist
|
|
|
linux-aws-hwe Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Not vulnerable
(CONFIG_BT not set)
|
|
|
linux-azure Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not set)
|
| focal |
Not vulnerable
(CONFIG_BT not set)
|
|
| groovy |
Not vulnerable
(CONFIG_BT not set)
|
|
| trusty |
Not vulnerable
(CONFIG_BT not set)
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Not vulnerable
(CONFIG_BT not set)
|
|
|
linux-azure-4.15 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not set)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Does not exist
|
|
|
linux-azure-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not set)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Does not exist
|
|
|
linux-azure-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not set)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Does not exist
|
|
|
linux-azure-edge Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not set)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(CONFIG_BT not set)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Not vulnerable
(cloud-only kernel)
|
|
| groovy |
Not vulnerable
(cloud-only kernel)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Not vulnerable
(cloud-only kernel)
|
|
|
linux-gcp-4.15 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp-edge Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-4.15 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.0 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-gkeop-5.4 Launchpad, Ubuntu, Debian |
bionic |
Pending
(5.4.0-1004.5)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-52.57~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe-5.8 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Pending
(5.8.0-25.26~20.04.1)
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(superseded by linux-hwe)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Ignored
(superseded by linux-hwe)
|
|
|
linux-kvm Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(CONFIG_BT not enabled)
|
| focal |
Not vulnerable
(CONFIG_BT not enabled)
|
|
| groovy |
Not vulnerable
(CONFIG_BT not enabled)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Not vulnerable
(CONFIG_BT not enabled)
|
|
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Not vulnerable
(4.4.0-13.29~14.04.1)
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1100.110)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
linux-oem-5.6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(5.6.0-1032.33)
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem-osp1 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1070.76)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Not vulnerable
(cloud-only kernel)
|
|
| groovy |
Not vulnerable
(cloud-only kernel)
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Not vulnerable
(cloud-only kernel)
|
|
|
linux-oracle-5.0 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(cloud-only kernel)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(cloud-only kernel)
|
|
| xenial |
Does not exist
|
|
|
linux-raspi Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(5.4.0-1022.25)
|
|
| groovy |
Not vulnerable
(5.8.0-1006.9)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-raspi-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1022.25~18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1074.79)
|
| focal |
Ignored
(replaced by linux-raspi)
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Not vulnerable
(4.2.0-1013.19)
|
|
|
linux-raspi2-5.3 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1036.38)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-riscv Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(5.4.0-37.42)
|
|
| groovy |
Not vulnerable
(5.8.0-7.7)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1090.99)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.10~rc1)
|
|
| xenial |
Not vulnerable
(4.4.0-1013.15)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Adjacent |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12351
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
- https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?h=for-upstream&id=f19425641cb2572a33cb074d5e30283720bd4d22
- https://ubuntu.com/security/notices/USN-4592-1
- https://ubuntu.com/security/notices/USN-4591-1
- NVD
- Launchpad
- Debian