Bug 1166751 – VUL-0: CVE-2020-0556: bluez: Improper access control may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access

Bug 1166751 - (CVE-2020-0556) VUL-0: CVE-2020-0556: bluez: Improper access control may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access

(CVE-2020-0556)
Summary:	VUL-0: CVE-2020-0556: bluez: Improper access control may allow an unauthentic...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/254874/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-0556:6.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-03-16 10:53 UTC by Robert Frohl
Modified:	2022-10-31 19:38 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2020-03-16 10:53:01 UTC

CVE-2020-0556

Improper access control in subsystem for BlueZ before version 5.53 may allow an
unauthenticated user to potentially enable escalation of privilege and denial of
service via adjacent access.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0556
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-0556.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html

Comment 1 Robert Frohl 2020-03-16 10:56:07 UTC

These codestreams seem affected:
- SUSE:SLE-12:Update
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-15:Update

unsure, but the access control seems to be missing too:
- SUSE:SLE-11-SP1:Update
- SUSE:SLE-11-SP3:Update
- SUSE:SLE-11-SP4:Update

patches:
- https://patchwork.kernel.org/patch/11428317/
- https://patchwork.kernel.org/patch/11428319/

discussion of patches:
- https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/

Comment 2 Al Cho 2020-03-17 11:03:32 UTC

sr: 
SLE15:Update - 214089
SLE15-SP2:Update - 214090

(In reply to Robert Frohl from comment #1)
> These codestreams seem affected:
> - SUSE:SLE-12:Update
> - SUSE:SLE-12-SP2:Update
> - SUSE:SLE-15:Update
> 

SLE-12 and SLE-12-SP2 work in progress.

> unsure, but the access control seems to be missing too:
> - SUSE:SLE-11-SP1:Update
> - SUSE:SLE-11-SP3:Update
> - SUSE:SLE-11-SP4:Update
> 

Will check status ASAP.

> patches:
> - https://patchwork.kernel.org/patch/11428317/
> - https://patchwork.kernel.org/patch/11428319/
> 
> discussion of patches:
> -
> https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-
> alainm@chromium.org/

Comment 3 Al Cho 2020-03-18 04:57:35 UTC

(In reply to Al Cho from comment #2)
> sr: 
> SLE15:Update - 214089
> SLE15-SP2:Update - 214090
> 

revoke this two because there are 

commit f2778f5877d20696d68a452b26e4accb91bfb19e (HEAD -> master, origin/master, origin/HEAD)
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Wed Mar 11 11:43:21 2020 -0700

    input: Add LEAutoSecurity setting to input.conf
    
    LEAutoSecurity can be used to enable/disable automatic upgrades of
    security for LE devices, by default it is enabled so existing devices
    that did not require security and were not bonded will automatically
    upgrade the security.
    
    Note: Platforms disabling this setting would require users to manually
    bond the device which may require changes to the user interface to
    always force bonding for input devices as APIs such as Device.Connect
    will no longer work which maybe perceived as a regression.

commit 35d8d895cd0b724e58129374beb0bb4a2edf9519
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Tue Mar 10 09:59:07 2020 -0700

    input: hog: Attempt to set security level if not bonded
    
    This attempts to set the security if the device is not bonded, the
    kernel will block any communication on the ATT socket while bumping
    the security and if that fails the device will be disconnected which
    is better than having the device dangling around without being able to
    communicate with it until it is properly bonded.

for this issue, will also apply to fix.

> (In reply to Robert Frohl from comment #1)
> > These codestreams seem affected:
> > - SUSE:SLE-12:Update
> > - SUSE:SLE-12-SP2:Update
> > - SUSE:SLE-15:Update
> > 
> 
> SLE-12 and SLE-12-SP2 work in progress.
> 
> > unsure, but the access control seems to be missing too:
> > - SUSE:SLE-11-SP1:Update
> > - SUSE:SLE-11-SP3:Update
> > - SUSE:SLE-11-SP4:Update
> > 
> 
> Will check status ASAP.
> 
> > patches:
> > - https://patchwork.kernel.org/patch/11428317/
> > - https://patchwork.kernel.org/patch/11428319/
> > 
> > discussion of patches:
> > -
> > https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-
> > alainm@chromium.org/

Comment 5 Robert Frohl 2020-03-18 09:50:02 UTC

(In reply to Robert Frohl from comment #1)
> These codestreams seem affected:
> - SUSE:SLE-12:Update
> - SUSE:SLE-12-SP2:Update
> - SUSE:SLE-15:Update

For completeness sake: openSUSE:Factory is also affected

Comment 6 Al Cho 2020-03-18 09:59:11 UTC

sr
SLE-15:update - 214154
Base:System - 786108

> unsure, but the access control seems to be missing too:
> - SUSE:SLE-11-SP1:Update
> - SUSE:SLE-11-SP3:Update
> - SUSE:SLE-11-SP4:Update

We don't support HOG (HID over GATT) Profil before bluez-5.0.

> These codestreams seem affected:
> - SUSE:SLE-12:Update
> - SUSE:SLE-12-SP2:Update

WIP.

(In reply to Robert Frohl from comment #5)
> (In reply to Robert Frohl from comment #1)
> > These codestreams seem affected:
> > - SUSE:SLE-12:Update
> > - SUSE:SLE-12-SP2:Update
> > - SUSE:SLE-15:Update
> 
> For completeness sake: openSUSE:Factory is also affected

yes, already submitrequest to OBS (Base:System), it will push to openSUSE:Factory.

Comment 7 Swamp Workflow Management 2020-04-03 16:21:10 UTC

SUSE-SU-2020:0918-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1166751
CVE References: CVE-2020-0556
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    bluez-5.48-5.25.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    bluez-5.48-5.25.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    bluez-5.48-5.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bluez-5.48-5.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2020-04-08 19:20:14 UTC

openSUSE-SU-2020:0479-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1166751
CVE References: CVE-2020-0556
Sources used:
openSUSE Leap 15.1 (src):    bluez-5.48-lp151.8.12.1

Comment 9 Al Cho 2020-05-21 07:40:49 UTC

sr SLE-12:update - 218765

(In reply to Al Cho from comment #6)
> sr
> SLE-15:update - 214154
> Base:System - 786108
> 
> > unsure, but the access control seems to be missing too:
> > - SUSE:SLE-11-SP1:Update
> > - SUSE:SLE-11-SP3:Update
> > - SUSE:SLE-11-SP4:Update
> 
> We don't support HOG (HID over GATT) Profil before bluez-5.0.
> 
> > These codestreams seem affected:
> > - SUSE:SLE-12:Update
> > - SUSE:SLE-12-SP2:Update
> 
> WIP.
> 
> (In reply to Robert Frohl from comment #5)
> > (In reply to Robert Frohl from comment #1)
> > > These codestreams seem affected:
> > > - SUSE:SLE-12:Update
> > > - SUSE:SLE-12-SP2:Update
> > > - SUSE:SLE-15:Update
> > 
> > For completeness sake: openSUSE:Factory is also affected
> 
> yes, already submitrequest to OBS (Base:System), it will push to
> openSUSE:Factory.

Comment 11 OBSbugzilla Bot 2020-06-25 06:30:07 UTC

This is an autogenerated message for OBS integration:
This bug (1166751) was mentioned in
https://build.opensuse.org/request/show/816925 15.2 / bluez

Comment 12 Swamp Workflow Management 2020-06-26 19:15:39 UTC

openSUSE-SU-2020:0872-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1166751
CVE References: CVE-2020-0556
Sources used:
openSUSE Leap 15.2 (src):    bluez-5.48-lp152.12.3.1

Comment 14 Swamp Workflow Management 2020-10-26 14:19:43 UTC

SUSE-SU-2020:3034-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1166751,1177895
CVE References: CVE-2020-0556,CVE-2020-27153
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    bluez-5.48-13.3.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    bluez-5.48-13.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    bluez-5.48-13.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-11-25 17:33:27 UTC

SUSE-SU-2020:3516-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1166751
CVE References: CVE-2020-0556
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    bluez-5.13-5.23.1
SUSE OpenStack Cloud Crowbar 8 (src):    bluez-5.13-5.23.1
SUSE OpenStack Cloud 9 (src):    bluez-5.13-5.23.1
SUSE OpenStack Cloud 8 (src):    bluez-5.13-5.23.1
SUSE OpenStack Cloud 7 (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server 12-SP5 (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    bluez-5.13-5.23.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    bluez-5.13-5.23.1
SUSE Enterprise Storage 5 (src):    bluez-5.13-5.23.1
HPE Helion Openstack 8 (src):    bluez-5.13-5.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Carlos López 2022-06-10 12:07:18 UTC

Done, closing.