BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20936.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3879 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3879-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     September 07, 2024                            https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : bluez     Version        : 5.55-3.1+deb11u2     CVE ID         : CVE-2021-3658 CVE-2021-41229 CVE-2021-43400 CVE-2022-0204                      CVE-2022-39176 CVE-2022-39177 CVE-2023-27349 CVE-2023-50229                      CVE-2023-50230     Debian Bug     : 991596 998626 1000262 1003712

    Multiple vulnerabilities have been fixed in bluez library, tools and     daemons for using Bluetooth devices.

    CVE-2021-3658

        adapter: Fix storing discoverable setting

    CVE-2021-41229

        Memory leak in the SDP protocol

    CVE-2021-43400

        Use-after-free on client disconnect

    CVE-2022-0204

        GATT heap overflow

    CVE-2022-39176

        Proximate attackers could obtain sensitive information

    CVE-2022-39177

        Proximate attackers could cause denial of service

    CVE-2023-27349

        AVRCP crash while handling unsupported events

    CVE-2023-50229

        Phone Book Access profile Heap-based Buffer Overflow

    CVE-2023-50230

        Phone Book Access profile Heap-based Buffer Overflow

    For Debian 11 bullseye, these problems have been fixed in version     5.55-3.1+deb11u2.

    We recommend that you upgrade your bluez packages.

    For the detailed security status of bluez please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/bluez

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the bluez package has been released.

The version of bluez installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-50229 advisory.

  - BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This     vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of     BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a     malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile.
    The issue results from the lack of proper validation of the length of user-supplied data prior to copying     it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the     context of root. Was ZDI-CAN-20936. (CVE-2023-50229)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0204-1 advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0182-1 advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0183-1 advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0167-1 advisory.

  - BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in     sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates     and will not be freed. This will cause a memory leak over time. The data can be a very large object, which     can be caused by an attacker continuously sending sdp packets and this may cause the service of the target     device to crash. (CVE-2021-41229)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0166-1 advisory.

  - BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in     sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates     and will not be freed. This will cause a memory leak over time. The data can be a very large object, which     can be caused by an attacker continuously sending sdp packets and this may cause the service of the target     device to crash. (CVE-2021-41229)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
206762	Debian dla-3879 : bluetooth - security update	Nessus	Debian Local Security Checks	critical
204800	Photon OS 3.0: Bluez PHSA-2024-3.0-0741	Nessus	PhotonOS Local Security Checks	high
204276	Photon OS 4.0: Bluez PHSA-2024-4.0-0586	Nessus	PhotonOS Local Security Checks	high
203561	Photon OS 5.0: Bluez PHSA-2024-5.0-0231	Nessus	PhotonOS Local Security Checks	high
201785	CBL Mariner 2.0 Security Update: bluez (CVE-2023-50229)	Nessus	MarinerOS Local Security Checks	high
189500	SUSE SLED15 / SLES15 Security Update : bluez (SUSE-SU-2024:0204-1)	Nessus	SuSE Local Security Checks	high
189402	SUSE SLES15 Security Update : bluez (SUSE-SU-2024:0182-1)	Nessus	SuSE Local Security Checks	high
189401	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : bluez (SUSE-SU-2024:0183-1)	Nessus	SuSE Local Security Checks	high
189256	SUSE SLES15 Security Update : bluez (SUSE-SU-2024:0167-1)	Nessus	SuSE Local Security Checks	medium
189255	SUSE SLES15 Security Update : bluez (SUSE-SU-2024:0166-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2023-50229

high

Tenable Plugins

critical

high

high

high

high

high

high

high

medium

medium