Headline
CVE-2022-1789: BIAS
With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
BIAS: Bluetooth Impersonation AttackS
About the BIAS attack
TL;DR: The Bluetooth standard provides authentication mechanisms based on a long term pairing key, which are designed to protect against impersonation attacks. The BIAS attacks from our new paper demonstrate that those mechanisms are broken, and that an attacker can exploit them to impersonate any Bluetooth master or slave device. Our attacks are standard-compliant, and can be combined with other attacks, including the KNOB attack. In the paper, we also describe a low cost implementation of the attacks and our evaluation results on 30 unique Bluetooth devices using 28 unique Bluetooth chips.
Details
Bluetooth Classic (also called Bluetooth BR/EDR) is a wireless communication protocol commonly used between low power devices to transfer data, e.g., between a wireless headset and a phone, or between two laptops. Bluetooth communications might contain private and/or sensitive data, and the Bluetooth standard provides security features to protect against someone who wants to eavesdrop and/or manipulate your information. We found and exploited a severe vulnerability in the Bluetooth BR/EDR specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker can impersonate a device towards the host after both have previously been successfully paired in absence of the attacker.
We call our attack Bluetooth Impersonation AttackS (BIAS). Because this attack affects basically all devices that “speak Bluetooth”, we performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth SIG) - the standards organisation that oversees the development of Bluetooth standards - in December 2019 to ensure that workarounds could be put in place.
Are My Devices Vulnerable?
The BIAS attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices). At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack.
After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.
Team
Daniele Antonioli****Postdoc at the EPFL
Cyber-Physical Systems Security, Network Security, Wireless Security, Embedded Systems Security, Applied Cryptography, SoCurity
Kasper Rasmussen****Faculty
Security of Wireless Networks, Protocol design, Applied Cryptography, Security of embedded systems, Cyber-physical systems
Nils Ole Tippenhauer****Faculty
Security of Cyber-Physical Systems, Security of Physical-Layer Wireless, IoT Security
Related Publications
Recent & Upcoming Talks
Media Coverage
social
- Reddit Thread
CERT
- CVE-2020-10135
- https://www.kb.cert.org/vuls/id/647177/
Bluetooth SIG
- 2020/05/18 “Bluetooth SIG Statement Regarding the Bluetooth Impersonation Attacks (BIAS) Security Vulnerability” by the Blueooth SIG
Selected EN press
- 2020/05/19: MSN, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
- 2020/05/21: TimesNowNews, “Smartphones, laptops, IoT devices from Apple, Intel, Samsung vulnerable to new BIAS Bluetooth attack” by Krishna SinhaChaudhury
- 2020/05/19: SecurityAffairs, “Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device” by Pierluigi Paganini
- 2020/05/19: WeLiveSecurity, “Bluetooth flaw exposes countless devices to BIAS attacks” by Amer Owaida
- 2020/05/19: forklog, “Hackers Can Impersonate Bluetooth Devices to Steal Users’ Personal Data: Is This a Threat to You?" by Ana Alexandre
- 2020/05/19: The Hacker News, “New Bluetooth Vulnerability Exposes Billions of Devices to Hackers” by Ravie Lakshmanan
- 2020/05/18: ZDNet, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
- 2020/05/19: CISO Mag, “New BIAS Vulnerability Affects All Modern Bluetooth Devices” by CISOMAG
- 2020/05/18: ThreatsHub, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by TH Author
- 2020/05/18: ROOTDAEMON.com, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by ROOTDAEMON
- 2020/05/19: ITPro, “Bluetooth pairing flaw exposes devices to BIAS attacks” by Keumars Afifi-Sabet
- 2020/05/19: MyBroadband, “New security flaw affects almost all Bluetooth devices” by Bradley Prior
Selected ES press
- 2020/05/19: El Español, “Bluetooth es un peligro: descubren que es posible engañar a tu móvil” by Adrián Raya
Selected IT press
- 2020/05/19: PuntoInformatico, “BIAS: nuova vulnerabilità nel Bluetooth” by Giacomo Dotta
Selected DE press
- 2020/05/21: Heise.de, “Bluetooth-Sicherheitslücke ermöglicht unerkannte Angriffe”
Related news
Red Hat Security Advisory 2024-4447-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include code execution, null pointer, and use-after-free vulnerabilities.
Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.
Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26341: A flaw was found in hw. This issue can cause AMD CPUs to transiently execute beyond unconditional direct branches. * CVE-2021-33655: An out-of-bounds write flaw was found in the Linux kernel’s framebuffer-based console driver functionality in the way a user triggers ioctl FBIOPUT_VSCREENINFO with malicious data. This flaw allows a local user to c...
An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26341: A flaw was found in hw. This issue can cause AMD CPUs to transiently execute beyond unconditional direct branches. * CVE-2021-33655: An out-of-bounds write flaw was found in the Linux kernel’s framebuffer-based console driver functionality in the way a user triggers ioctl FBIOPUT_VSCREENINFO with malicious data. This flaw allows a local user t...
Red Hat Security Advisory 2023-2148-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.
Red Hat Security Advisory 2023-2458-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.
An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26341: A flaw was found in hw. This issue can cause AMD CPUs to transiently execute beyond unconditional direct branches. * CVE-2021-33655: An out-of-bounds write flaw was found in the Linux kernel’s framebuffer-based console driver functionality in the way a user triggers ioctl FBIOPUT_VSCREENINFO with malicious data. This flaw allows a local user to c...
An update for kernel-rt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26341: A flaw was found in hw. This issue can cause AMD CPUs to transiently execute beyond unconditional direct branches. * CVE-2021-33655: An out-of-bounds write flaw was found in the Linux kernel’s framebuffer-based console driver functionality in the way a user triggers ioctl FBIOPUT_VSCREENINFO with malicious data. This flaw allows a local user t...
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5564-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5539-1 - It was discovered that the implementation of the 6pack and mkiss protocols in the Linux kernel did not handle detach events properly in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service. Duoming Zhou discovered that the AX.25 amateur radio protocol implementation in the Linux kernel did not handle detach events properly in some situations. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5529-1 - It was discovered that the Atheros ath9k wireless device driver in the Linux kernel did not properly handle some error conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Yongkang Jia discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle guest TLB mapping invalidation requests in some situations. An attacker in a guest VM could use this to cause a denial of service in the host OS.
Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.
Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.
Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Ubuntu Security Notice 5518-1 - It was discovered that the eBPF implementation in the Linux kernel did not properly prevent writes to kernel objects in BPF_BTF_LOAD commands. A privileged local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Marvell NFC device driver implementation in the Linux kernel did not properly perform memory cleanup operations in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5514-1 - It was discovered that the implementation of the 6pack and mkiss protocols in the Linux kernel did not handle detach events properly in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service. Duoming Zhou discovered that the AX.25 amateur radio protocol implementation in the Linux kernel did not handle detach events properly in some situations. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.