Description Preview
The native Bluetooth stack in the Linux kernel (BlueZ), from kernel version 2.6.32 up to and including 4.13.1, is vulnerable to a stack overflow in the handling of L2CAP configuration responses. This flaw can be exploited by a remote attacker within Bluetooth range to execute arbitrary code in kernel space, potentially taking control of the affected device, bypassing security boundaries, and compromising system integrity and availability. The vulnerability was disclosed in September 2017 and prompted multiple vendor advisories and patches across distributions and devices, highlighting the broad impact across the Linux ecosystem.
Overview
This CVE documents a remote code execution risk in the Linux kernel's Bluetooth stack (BlueZ) caused by a stack overflow during L2CAP configuration response processing. Affected are Linux kernels from 2.6.32 through 4.13.1. The issue garnered widespread attention and led to numerous vendor advisories and patches (e.g., Red Hat, Debian) and public disclosure resources, underscoring the need to apply firmware and kernel updates and to adjust Bluetooth exposure where possible.
Remediation
- Actionable remediation (when patches are available):
- Upgrade to a patched kernel and BlueZ package provided by your distribution (e.g., apply the Red Hat advisories RHSA-2017:2732, RHSA-2017:2705, RHSA-2017:2683, RHSA-2017:2704, RHSA-2017:2682, RHSA-2017:2731, and related advisories for 2681, 2679, 2680, 2707; Debian DSA-3981; Synology mitigation, etc.).
- Reboot the system after applying updates to ensure the patched kernel and BlueZ are loaded.
- Verify that the patched versions are installed by checking package versions against the advisories.
- Additional mitigation if patching is not immediately possible:
- Disable Bluetooth or remove Bluetooth exposure if not required.
- If Bluetooth must remain enabled, configure devices to be non-discoverable and restrict Bluetooth access to trusted hosts and devices.
- For containers or virtualized environments, ensure Bluetooth interfaces are not exposed to untrusted workloads.
- Monitor security advisories and vulnerability trackers for follow-up guidance and updated patches.
- Verification and ongoing hygiene:
- After patching, re-scan systems against the BlueBorne/BlueZ advisories and confirm kernel/BlueZ versions reflect the fixes.
- Maintain an asset inventory of affected devices and apply updates on a prioritized basis, especially for IoT and edge devices.
References
- RHSA-2017:2732
- 42762
- RHSA-2017:2705
- RHSA-2017:2683
- RHSA-2017:2704
- RHSA-2017:2682
- access.redhat.com/security/vulnerabilities/blueborne
- https://www.armis.com/blueborne
- 1039373
- RHSA-2017:2731
- DSA-3981
- RHSA-2017:2706
- https://www.synology.com/support/security/Synology_SA_17_52_BlueBorne
- https://github.com/torvalds/linux/commit/f2fcfcd670257236ebf2088bbdf26f6a8ef459fe
- http://nvidia.custhelp.com/app/answers/detail/a_id/4561
- BID 100809
- VU#240311
- RHSA-2017:2681
- RHSA-2017:2679
- RHSA-2017:2680
- RHSA-2017:2707
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Public AdministrationPublic Administration: Medium
- ManufacturingManufacturing: Medium
- Health Care & Social AssistanceHealth Care & Social Assistance: Medium
- Educational ServicesEducational Services: Medium
- Finance and InsuranceFinance and Insurance: Medium
- Transportation & WarehousingTransportation & Warehousing: Medium
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Medium
- Retail TradeRetail Trade: Medium
- UtilitiesUtilities: Medium
- Other Services (except Public Administration)Other Services (except Public Administration): Medium
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- InformationInformation: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- MiningMining: Low
- ConstructionConstruction: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Wholesale TradeWholesale Trade: Low
