Ask / Submit
39

SailfishOS and Blueborne bluetooth attack

Tracked by Jolla

asked 2017-09-12 18:14:21 +0300

Fuzzillogic gravatar image

updated 2017-09-13 19:32:07 +0300

lpr gravatar image

Is SailfishOS currently affected by the Blueborne attack on bluetooth? Linux is explicitly vulnerable. But it also states that ASLR provides a degree of protection.

ASLR seems to be in place on my J1 on 2.1.1.26:

[nemo@Sailfish ~]$ cat /proc/sys/kernel/randomize_va_space 
2

This is good, it means ASLR enabled: "Full address space randomization. Contains the feature of value 1 in addition brk area is randomized.")

[nemo@Sailfish ~]$ file /usr/sbin/bluetoothd
/usr/sbin/bluetoothd: ELF 32-bit LSB  shared object, ARM, EABI5 version 1…

This is also good: "shared object" instead of "executable", the latter would indicate it has position dependent code, and therefor no ASLR.

Does this indeed indicate sufficient protection for now?

edit retag flag offensive close delete

Comments

4

More details here: https://www.armis.com/blueborne/ (via https://blog.fefe.de/?ts=a746ec57)

cy8aer ( 2017-09-13 00:01:07 +0300 )edit
7

CVE-2017-1000250 and CVE-2017-1000251 : https://access.redhat.com/security/vulnerabilities/blueborne
android-security-bulletin: Sep-2017 CVE-2017-0783 A-63145701
phoronix-article: link
proof of concept of ASLR workaround: link (dealing with stagefright and android4.4 on armv7 but I don't think we're save from an adapted attack in general)

lpr ( 2017-09-13 13:31:39 +0300 )edit
2

glad to see that jolla track it :-)

cemoi71 ( 2017-09-15 12:37:28 +0300 )edit

3 Answers

Sort by » oldest newest most voted
11

answered 2017-09-13 11:05:17 +0300

L_A_G gravatar image

updated 2017-09-13 13:31:53 +0300

If Broadpwn (a recent exploit of Broadcom wi-fi chip firmware), along with a host of other exploits, can get past kernel ASLR I don't think it's going to stop Blueborne either. The only kernel feature I'm aware of that actually stops Blueborne (a kernel buffer overflow exploit) is Kernel Stack Protector, a kernel-level anti buffer overflow feature activated at compile time. It's not enabled on most distros, or Android for that matter, so I wouldn't be too surprised if it's not enabled on SailfishOS either.

Rather annoyingly the developers of the Blueborne exploit notified Google, Microsoft and Apple of what they had come up with in May, but the Linux kernel developers were briefed only last month so the fix is only now being deployed in more actively maintained distros. This could have been fixed with the recent significant update to BlueZ, but the patch was only just deployed so it's obviously not in the version SailfishOS is using.

edit flag offensive delete publish link more

Comments

4

Debian just did a security patch for libbluetooth3 for stretch.

cy8aer ( 2017-09-13 15:00:47 +0300 )edit
10

answered 2017-09-14 18:57:17 +0300

MariusP gravatar image

I tested on JollaC the BlueBorne Vulnerability Scannerfrom Google Play, and it shows that, from the Android runtime, the phone is vulnerable https://play.google.com/store/apps/details?id=com.armis.blueborne_detector

SFOS 2.1.1.26 has kernel version 3.10.49+0.0.78 ; the bug is in all kernels from 3.3-rc1 up to and including 4.13.1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251

An upstream kernel patch is available on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3

Most probably, all major Linux distributions will make available the updates, and we are waiting also for Jolla to do this.

edit flag offensive delete publish link more

Comments

6

you can't exploit aliendalvik because it's not accessible for bluetooth at all :D

coderus ( 2017-09-14 19:52:14 +0300 )edit
5

^^ Thats why the BlueBorne Vulnerability Scanner also crashes btw.

leszek ( 2017-09-14 21:22:28 +0300 )edit
1

The BlueBorne Vulnerability Scanner from Google Play can be used from an Android phone to scan also other devices for this vulneraility. I tested in this way, and the discovered JollaC bluetooth appeared vulnerable, but with yellow color, not with red, like a windows 7 laptop, so I think that the risk on JollaC is medium.

MariusP ( 2017-09-16 11:11:07 +0300 )edit

I tested the same and got a medium/yellow warning when scanned from the outside. However, I cannot find any documentation on which CVE:s result in which colours so the vulnerability scanner was only somewhat useful.

jwalck ( 2017-09-16 22:29:33 +0300 )edit
5

answered 2017-09-17 07:26:41 +0300

Goldman gravatar image

To developers: Any chance to Blueborne vulnerability will be patched in not yet released SF 2.1.1?

edit flag offensive delete publish link more

Comments

1

If the patch is simple and available for the kernel it should be no big problem for Jolla to recompile the kernel and ship this one as soon as possible. (not even waiting for 2.1.1 to be fixed as it is an urgent security fix)

leszek ( 2017-09-18 20:47:24 +0300 )edit
Login/Signup to Answer

Question tools

Follow
11 followers

Stats

Asked: 2017-09-12 18:14:21 +0300

Seen: 1,738 times

Last updated: Sep 17