Thread-topic: SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
> -----Original Message-----
> From: Allen Wilson [mailto:awilson@xxxxxxxxxxxxxxx] On Behalf
> Of Research
> Sent: Thursday, October 12, 2006 5:30 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: SecureWorks Research Client Advisory: Multiple
> Vendor Bluetooth Memory Stack Corruption Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> SecureWorks Research Client Advisory
> Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
>
> October 11th, 2006
>
> Summary:
>
> A flaw exists in the Toshiba Bluetooth wireless device driver, used by
> multiple vendors, that allows a remote attacker within
> wireless range of
> a Bluetooth device to perform a denial-of-service (DoS) attack or
> execute arbitrary code at the highest privilege level.
>
> Scope:
>
> Toshiba Bluetooth host stack implementations version 3.x
> Toshiba Bluetooth host stack implementations version 4
> through 4.00.35,
> including all shipping OEM versions are vulnerable.
> Toshiba Bluetooth stacks running on 64-bit platforms are not
> vulnerable.
> Toshiba is the OEM for multiple vendor Bluetooth stacks including, but
> not limited to:
> - Dell Computers
> - Sony Vaio
> - ASUS Computers
> - and possibly other brands.
>
> Description:
>
> Bluetooth is a standards-based wireless technology used for
> short-range
> data communications between electronic devices. The vulnerable
> Bluetooth wireless device drivers are subject to potential attacks
> through specially crafted Bluetooth packets. An attacker can
> potentially take advantage of these conditions to cause a memory
> corruption, a system crash, and/or the execution of arbitrary code at
> the highest privilege level. An attacker would need to be within
> approximately 10 meters of the victim. Additionally, an
> attacker would
> need the Bluetooth address of the victim's device. Bluetooth
> addresses
> are easily enumerated through active scanning if the device allows
> discovery.
>
> Detection:
>
> Users of Toshiba's Bluetooth stack are encouraged to check the current
> Bluetooth stack version by selecting:
> Version 3.x - "Device Properties...", then "General"
> Version 4.x - "Options", then "General", then "Details"
>
> Toshiba has advised that security patches are normally offered for all
> Bluetooth stacks. Please consult the download details document for
> further information.
>
> Users of Dell Bluetooth products are encouraged to verify the presence
> and version of their Bluetooth stack by double-clicking on the
> Bluetooth icon in the system tray to open the Bluetooth client utility
> and selecting "Help", then "About".
>
> Recommendations:
>
> Toshiba has recommended that affected users visit their Bluetooth
> vendor's website for an updated Bluetooth stack. If a patch is
> unavailable, please visit the Toshiba Bluetooth website, which offers
> security updates for all Bluetooth stacks including OEM versions, as
> well as a Bluetooth Stack Security Pack at:
>
> wnload.php
>
> Users of Dell Latitude D820/D620/D420/D520 are asked to verify the
> version of their Bluetooth stack using the method described above. If
> your version is not 4.00.22(D) SP2 or newer, then it is
> recommended that
> users upgrade to the latest driver versions located at
> .
>
> Users of Dell Latitude D810/D610/D410/D510/X1 are asked to verify the
> version of their Bluetooth stack using the method described above. If
> your version is not 4.00.20(D) SP2 or newer, then it is recommended
> that users upgrade to the latest driver versions to be made available
> by November 4th, 2006 at .
>
> Bluetooth device users should be set to non-discoverable mode during
> normal operations to reduce risk from this and other potential future
> Bluetooth attacks.
>
> References:
> SecureWorks Research Client Advisory
> Multiple Vendor Bluetooth Stack Memory Corruption Vulnerability
>
>
> Toshiba: Bluetooth Download Page
>
>
> wnload.php
>
> Dell Support
>
>
> Buffer Overrun in Toshiba Bluetooth Stack for Windows
>
>
> CVSS Scoring:
>
> Access Vector: Remote
> Access Complexity: High
> Authentication: Not Required
> Confidentiality: Complete
> Integrity: Complete
> Availability: Complete
> Impact Bias: Normal
> Score: 8.0
>
> Credits:
>
> This vulnerability was discovered and researched by David Maynor of
> SecureWorks, Inc. and Jon Ellch. SecureWorks would like to thank
> Christopher M. Davis and the entire Dell security response
> team as well
> as Armin Scheruebl of Toshiba Europe GmbH and the Toshiba Bluetooth
> Support team for their response and coordination.
>
> About Secureworks
>
> Please direct all security research related inquiries to:
> Allen Wilson
> (404) 417-3717
> research@xxxxxxxxxxxxxxx
>
> All media inquiries should be directed to:
> Elizabeth Clarke
> (404) 486-4492
> eclarke@xxxxxxxxxxxxxxx
>
> (c) Copyright 2006 SecureWorks, Inc.
>
> This advisory may not be edited or modified in any way without the
> express written consent of SecureWorks, Inc. If you wish to reprint
> this advisory or any portion or element thereof, please contact
> research@xxxxxxxxxxxxxxx to seek permission. Permission is hereby
> granted to link to this advisory via the SecureWorks web-site at
> or use in
> accordance with the fair use doctrine of U.S. copyright laws.
>
> Disclaimer: The information within this advisory may change without
> notice. The most recent version of this advisory may be found on the
> SecureWorks web site at www.secureworks.com for a limited period of
> time. Use of this information constitutes acceptance for use in an
> AS IS condition. There are NO warranties, implied or otherwise, with
> regard to this information or its use. ANY USE OF THIS INFORMATION IS
> AT THE USER'S RISK. In no event shall SecureWorks be liable for any
> damages whatsoever arising out of or in connection with the use or
> spread of this information.
>
> SecureWorks PGP Key available on MIT's PGP key server and
> PGP.com's key
> server, as well as
>
>
> Revision History:
> 1.0; October 11th, 2006 - Initial advisory release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.0 (Build 1202)
>
> wsBVAwUBRS1VJw81H4LOxRiGAQhlawf9GZJ3LPFVIDRtqDbKndBYRC2eCqIBJNr3
> mfGXQPjQ6vu1KzaosBmZMhz+ws6UvZ3+xVsRESMVDWqtuKicqhQy/rPIy4QAt9qc
> Geg9rIYQH1/hbdMbcDiSVKLUS2IRRMRMIo4GvjqN9U7jOg/N9luKOhJnVsAOKZAE
> 6E4dRwqLYCshHH6JyuaL5nGfYEFh9DOc2Q3jh/AQhXa8Ld3dd3OXBV/94HKCEmqT
> gYId4Tdgm7ti6vnlSDT6Pa33fwi3vM0CIrdW0u0FgFwkB2pO3gzLOlEWcls1lQku
> /B7X5aISfhgPJWkZoztiIg7dRom2gOUCDrg6qRkntGuCRTqSDXepBQ==
> =TbdP
> -----END PGP SIGNATURE-----
>
