CVE-2017-1000250:

Remote information disclosure vulnerability in BlueZ SDP server (CVE-2017-1000250) affecting BlueZ 5.46 and earlier, allowing attackers to read sensitive data from the bluetoothd process memory via SDP search attribute requests.

Score
A numerical rating that indicates how dangerous this vulnerability is.

6.5Medium

Published Date:Sep 12, 2017
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:36.9
EPSS Percentile:97%

Exploitability

Score:2.8
Attack Vector:ADJACENT_NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:3.6
Confidentiality Impact:HIGH
Integrity Impact:NONE
Availability Impact:NONE

Description Preview

Overview

This CVE concerns an information disclosure flaw in BlueZ’s SDP server, present in BlueZ versions up to 5.46. The vulnerability is triggered by handling SDP search attribute requests, enabling remote attackers to retrieve sensitive data from the bluetoothd process memory without authentication or interaction. The issue is widely referenced in multiple vendor advisories and security analyses under the BlueBorne umbrella.

Remediation

Upgrade BlueZ to a fixed version provided by your OS/distribution vendor (addressing the SDP processing flaw). Check and apply the patched BlueZ package or a newer release (commonly 5.47+ or the vendor’s subsequent update).
If upgrading is not feasible, apply the vendor-provided patch or backport the fix to your BlueZ package as advised by your distribution.
If SDP services are not required in your environment, consider disabling the SDP server component or the Bluetooth SDP handling to reduce exposure until a patch is applied.
After applying the fix, restart the Bluetooth daemon (bluetoothd) and verify that the patch is in effect by consulting vendor advisories or testing for remediation indicators.
Monitor official advisories and CVE databases for any additional mitigations or updates related to this vulnerability.