^{CVE-2017-1000410:}An information leak in the Linux kernel’s Bluetooth L2CAP configuration parsing (CVE-2017-1000410) allows uninitialized stack data to be exposed, potentially bypassing KASLR and stack canaries and, in combination with CVE-2017-1000251, enabling an RCE under certain builds.

The Linux kernel version 3.3-rc1 and later contains a vulnerability in the handling of incoming L2CAP ConfigRequest and ConfigResponse messages. In the functions l2cap_parse_conf_rsp and l2cap_parse_conf_req, the local variable struct l2cap_conf_efs efs is declared but not initialized. During parsing, the EFS handling path may skip the memcpy that would populate efs, leading to an outgoing configuration option that includes an uninitialized efs. The code then writes the address of efs into the outgoing message via l2cap_add_conf_opt, allowing an attacker to receive 16 bytes of data from uninitialized stack memory. This can enable information leakage and may enable bypass of KASLR and stack canaries. If leveraged with a prior RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251), it may facilitate exploitation on kernels built with certain mitigations. The vulnerability is associated with the processing of L2CAP ConfigRequest/ConfigResponse messages and can be triggered by sending specifically crafted configuration elements.

Overview

This CVE describes an information-leak weakness in the Linux kernel’s Bluetooth L2CAP configuration parsing that stems from using an uninitialized stack variable when processing ConfigRequest and ConfigResponse messages. An attacker can influence the input flow to cause uninitialized data to be returned, potentially exposing 16 bytes of kernel memory. The leak can undermine protections such as KASLR and stack canaries and, in conjunction with a related remote code execution vulnerability, may contribute to a full exploit on vulnerable kernels.

Remediation

• Apply the vendor-supplied kernel security updates that fix CVE-2017-1000410. This includes updating to the patched kernel version provided by your distribution (e.g., Debian, Red Hat, Ubuntu) and rebooting the system.
• If a patched kernel is not immediately available, mitigate exposure by disabling Bluetooth functionality or restricting Bluetooth device exposure on affected systems (e.g., stop and disable the Bluetooth service, unload Bluetooth kernel modules if Bluetooth is not required).
• After applying updates, verify that the kernel version includes the fix (check package version and changelog or patch metadata) and that rebooted systems are running the patched kernel.
• Where feasible, perform an authenticated security scan or verification to confirm the vulnerability is mitigated in deployed kernels and validate that L2CAP handling paths no longer allow uninitialized data leakage.
• Consider applying defense-in-depth measures for Bluetooth exposure in enterprise environments (network-level access controls, limiting Bluetooth-enabled devices, and monitoring for suspicious Bluetooth configuration activity).

References

• [oss-security] 20171206 Info Leak in the Linux Kernel via Bluetooth, http://seclists.org/oss-sec/2017/q4/357
• DSA-4082, Debian security advisory, https://www.debian.org/security/2018/dsa-4082
• RHSA-2018:1062, Red Hat advisory, https://access.redhat.com/errata/RHSA-2018:1062
• RHSA-2018:0654, Red Hat advisory, https://access.redhat.com/errata/RHSA-2018:0654
• RHSA-2018:1319, Red Hat advisory, https://access.redhat.com/errata/RHSA-2018:1319
• RHSA-2018:0676, Red Hat advisory, https://access.redhat.com/errata/RHSA-2018:0676
• RHSA-2018:1170, Red Hat advisory, https://access.redhat.com/errata/RHSA-2018:1170
• RHSA-2018:1130, Red Hat advisory, https://access.redhat.com/errata/RHSA-2018:1130
• DSA-4073, Debian security advisory, https://www.debian.org/security/2017/dsa-4073
• 102101, BID entry, http://www.securityfocus.com/bid/102101
• USN-3933-2, Ubuntu security advisory, https://usn.ubuntu.com/3933-2/
• USN-3933-1, Ubuntu security advisory, https://usn.ubuntu.com/3933-1/