BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or     RCE (CVE-2020-27153)

  - bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c (CVE-2022-39177)

  - Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line     function used in some userland utilities. (CVE-2016-7837)

  - In BlueZ 5.42, a buffer over-read was observed in l2cap_dump function in tools/parser/l2cap.c source     file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9797)

  - In BlueZ 5.42, a use-after-free was identified in conf_opt function in tools/parser/l2cap.c source     file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9798)

  - In BlueZ 5.42, a buffer overflow was observed in pin_code_reply_dump function in tools/parser/hci.c     source file. The issue exists because pin array is overflowed by supplied parameter due to lack of     boundary checks on size of the buffer from frame pin_code_reply_cp *cp parameter. (CVE-2016-9800)

  - In BlueZ 5.42, a buffer overflow was observed in set_ext_ctrl function in tools/parser/l2cap.c source     file when processing corrupted dump file. (CVE-2016-9801)

  - In BlueZ 5.42, an out-of-bounds read was observed in le_meta_ev_dump function in tools/parser/hci.c     source file. This issue exists because 'subevent' (which is used to read correct element from     'ev_le_meta_str' array) is overflowed. (CVE-2016-9803)

  - In BlueZ 5.42, a buffer overflow was observed in commands_dump function in tools/parser/csr.c source     file. The issue exists because commands array is overflowed by supplied parameter due to lack of     boundary checks on size of the buffer from frame frm->ptr parameter. This issue can be triggered by     processing a corrupted dump file and will result in hcidump crash. (CVE-2016-9804)

  - An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a     SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server     into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The     root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check     whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the     same. (CVE-2019-8921)

  - A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on     whether there is enough space in the destination buffer. The function simply appends all data passed to     it. The values of all attributes that are requested are appended to the output buffer. There are no size     checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is     large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by     process_request (in sdpd-request.c), which also allocates the response buffer. (CVE-2019-8922)

  - The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset'     variable before using it as an index into an array for reading. (CVE-2021-3588)

  - bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and     restores it when powered up. If a device is powered down while discoverable, it will be discoverable when     powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby     attackers. (CVE-2021-3658)

  - BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in     sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates     and will not be freed. This will cause a memory leak over time. The data can be a very large object, which     can be caused by an attacker continuously sending sdp packets and this may cause the service of the target     device to crash. (CVE-2021-41229)

  - A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function     read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation     of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this     issue. VDB-211086 is the identifier assigned to this vulnerability. (CVE-2022-3563)

  - A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects     the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to     denial of service. It is recommended to apply a patch to fix this issue. The identifier of this     vulnerability is VDB-211936. (CVE-2022-3637)

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This     vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected     installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must     connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The     issue results from the lack of proper validation of user-supplied data, which can result in a write past     the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context     of root. Was ZDI-CAN-19908. (CVE-2023-27349)

  - Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and     establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of     HID messages when no user interaction has occurred in the Central role to authorize such access. An     example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556     mitigation would have already addressed this Bluetooth HID Hosts issue. (CVE-2023-45866)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or     RCE (CVE-2020-27153)

  - bluez: BlueZ allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c (CVE-2022-39177)

  - Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line     function used in some userland utilities. (CVE-2016-7837)

  - In BlueZ 5.42, a buffer over-read was observed in l2cap_dump function in tools/parser/l2cap.c source     file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9797)

  - In BlueZ 5.42, a use-after-free was identified in conf_opt function in tools/parser/l2cap.c source     file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9798)

  - In BlueZ 5.42, a buffer overflow was observed in pklg_read_hci function in btsnoop.c source file. This     issue can be triggered by processing a corrupted dump file and will result in btmon crash. (CVE-2016-9799)

  - In BlueZ 5.42, a buffer overflow was observed in pin_code_reply_dump function in tools/parser/hci.c     source file. The issue exists because pin array is overflowed by supplied parameter due to lack of     boundary checks on size of the buffer from frame pin_code_reply_cp *cp parameter. (CVE-2016-9800)

  - In BlueZ 5.42, a buffer overflow was observed in set_ext_ctrl function in tools/parser/l2cap.c source     file when processing corrupted dump file. (CVE-2016-9801)

  - In BlueZ 5.42, a buffer over-read was identified in l2cap_packet function in monitor/packet.c source     file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash.
    (CVE-2016-9802)

  - In BlueZ 5.42, an out-of-bounds read was observed in le_meta_ev_dump function in tools/parser/hci.c     source file. This issue exists because 'subevent' (which is used to read correct element from     'ev_le_meta_str' array) is overflowed. (CVE-2016-9803)

  - In BlueZ 5.42, a buffer overflow was observed in commands_dump function in tools/parser/csr.c source     file. The issue exists because commands array is overflowed by supplied parameter due to lack of     boundary checks on size of the buffer from frame frm->ptr parameter. This issue can be triggered by     processing a corrupted dump file and will result in hcidump crash. (CVE-2016-9804)

  - In BlueZ 5.42, a buffer overflow was observed in read_n function in tools/hcidump.c source file. This     issue can be triggered by processing a corrupted dump file and will result in hcidump crash.
    (CVE-2016-9917)

  - In BlueZ 5.42, an out-of-bounds read was identified in packet_hexdump function in monitor/packet.c     source file. This issue can be triggered by processing a corrupted dump file and will result in btmon     crash. (CVE-2016-9918)

  - Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby     man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication     procedure) by reflection of the public key and the authentication evidence of the initiating device,     potentially permitting this attacker to complete authenticated pairing with the responding device using     the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit     at a time. (CVE-2020-26558)

  - A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS     13.4. An attacker in a privileged network position may be able to intercept Bluetooth traffic.
    (CVE-2020-9770)

  - The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset'     variable before using it as an index into an array for reading. (CVE-2021-3588)

  - bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and     restores it when powered up. If a device is powered down while discoverable, it will be discoverable when     powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby     attackers. (CVE-2021-3658)

  - BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in     sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates     and will not be freed. This will cause a memory leak over time. The data can be a very large object, which     can be caused by an attacker continuously sending sdp packets and this may cause the service of the target     device to crash. (CVE-2021-41229)

  - A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function     read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation     of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this     issue. VDB-211086 is the identifier assigned to this vulnerability. (CVE-2022-3563)

  - A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects     the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to     denial of service. It is recommended to apply a patch to fix this issue. The identifier of this     vulnerability is VDB-211936. (CVE-2022-3637)

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This     vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected     installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must     connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The     issue results from the lack of proper validation of user-supplied data, which can result in a write past     the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context     of root. Was ZDI-CAN-19908. (CVE-2023-27349)

  - Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and     establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of     HID messages when no user interaction has occurred in the Central role to authorize such access. An     example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556     mitigation would have already addressed this Bluetooth HID Hosts issue. (CVE-2023-45866)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to the versions of the bluez packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bluez package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a     SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server     into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The     root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check     whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the     same. (CVE-2019-8921)

  - A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network     access could pass specially crafted files causing an application to halt or crash, leading to a denial of     service. (CVE-2022-0204)

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bluez packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0156-1 advisory.

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED12 / SLED_SAP12 / SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0166-1 advisory.

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0168-1 advisory.

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0155-1 advisory.

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of bluez installed on the remote host is prior to 5.44-7. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1881 advisory.

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3157 advisory.

  - An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a     SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server     into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The     root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check     whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the     same. (CVE-2019-8921)

  - A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on     whether there is enough space in the destination buffer. The function simply appends all data passed to     it. The values of all attributes that are requested are appended to the output buffer. There are no size     checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is     large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by     process_request (in sdpd-request.c), which also allocates the response buffer. (CVE-2019-8922)

  - BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in     sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates     and will not be freed. This will cause a memory leak over time. The data can be a very large object, which     can be caused by an attacker continuously sending sdp packets and this may cause the service of the target     device to crash. (CVE-2021-41229)

  - An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client     disconnects during D-Bus processing of a WriteValue call. (CVE-2021-43400)

  - A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network     access could pass specially crafted files causing an application to halt or crash, leading to a denial of     service. (CVE-2022-0204)

  - BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because     profiles/audio/avrcp.c does not validate params_len. (CVE-2022-39176)

  - BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and     invalid capabilities can be processed in profiles/audio/avdtp.c. (CVE-2022-39177)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
196471	RHEL 6 : bluez (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
196439	RHEL 7 : bluez (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
178895	EulerOS Virtualization 3.0.6.6 : bluez (EulerOS-SA-2023-2406)	Nessus	Huawei Local Security Checks	high
175202	EulerOS Virtualization 3.0.2.0 : bluez (EulerOS-SA-2023-1742)	Nessus	Huawei Local Security Checks	high
172279	EulerOS 2.0 SP5 : bluez (EulerOS-SA-2023-1491)	Nessus	Huawei Local Security Checks	high
170721	SUSE SLES15 Security Update : bluez (SUSE-SU-2023:0156-1)	Nessus	SuSE Local Security Checks	high
170720	SUSE SLED12 / SLES12 Security Update : bluez (SUSE-SU-2023:0166-1)	Nessus	SuSE Local Security Checks	high
170716	SUSE SLES15 Security Update : bluez (SUSE-SU-2023:0168-1)	Nessus	SuSE Local Security Checks	high
170710	SUSE SLES15 Security Update : bluez (SUSE-SU-2023:0155-1)	Nessus	SuSE Local Security Checks	high
168444	Amazon Linux 2 : bluez (ALAS-2022-1881)	Nessus	Amazon Linux Local Security Checks	high
166429	Debian DLA-3157-1 : bluez - LTS security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2022-39176

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

critical