Ask / Submit

SailfishOS and Blueborne bluetooth attack

Tracked by Jolla (In release)

asked 2017-09-12 18:14:21 +0300

Fuzzillogic gravatar image

updated 2017-09-13 19:32:07 +0300

lpr gravatar image

Is SailfishOS currently affected by the Blueborne attack on bluetooth? Linux is explicitly vulnerable. But it also states that ASLR provides a degree of protection.

ASLR seems to be in place on my J1 on

[nemo@Sailfish ~]$ cat /proc/sys/kernel/randomize_va_space 

This is good, it means ASLR enabled: "Full address space randomization. Contains the feature of value 1 in addition brk area is randomized.")

[nemo@Sailfish ~]$ file /usr/sbin/bluetoothd
/usr/sbin/bluetoothd: ELF 32-bit LSB  shared object, ARM, EABI5 version 1…

This is also good: "shared object" instead of "executable", the latter would indicate it has position dependent code, and therefor no ASLR.

Does this indeed indicate sufficient protection for now?

edit retag flag offensive close delete



More details here: (via

cy8aer ( 2017-09-13 00:01:07 +0300 )edit

CVE-2017-1000250 and CVE-2017-1000251 :
android-security-bulletin: Sep-2017 CVE-2017-0783 A-63145701
phoronix-article: link
proof of concept of ASLR workaround: link (dealing with stagefright and android4.4 on armv7 but I don't think we're save from an adapted attack in general)

lpr ( 2017-09-13 13:31:39 +0300 )edit

glad to see that jolla track it :-)

cemoi71 ( 2017-09-15 12:37:28 +0300 )edit

5 Answers

Sort by » oldest newest most voted

answered 2017-09-13 11:05:17 +0300

L_A_G gravatar image

updated 2017-09-13 13:31:53 +0300

If Broadpwn (a recent exploit of Broadcom wi-fi chip firmware), along with a host of other exploits, can get past kernel ASLR I don't think it's going to stop Blueborne either. The only kernel feature I'm aware of that actually stops Blueborne (a kernel buffer overflow exploit) is Kernel Stack Protector, a kernel-level anti buffer overflow feature activated at compile time. It's not enabled on most distros, or Android for that matter, so I wouldn't be too surprised if it's not enabled on SailfishOS either.

Rather annoyingly the developers of the Blueborne exploit notified Google, Microsoft and Apple of what they had come up with in May, but the Linux kernel developers were briefed only last month so the fix is only now being deployed in more actively maintained distros. This could have been fixed with the recent significant update to BlueZ, but the patch was only just deployed so it's obviously not in the version SailfishOS is using.

edit flag offensive delete publish link more



Debian just did a security patch for libbluetooth3 for stretch.

cy8aer ( 2017-09-13 15:00:47 +0300 )edit

answered 2017-09-14 18:57:17 +0300

MariusP gravatar image

I tested on JollaC the BlueBorne Vulnerability Scannerfrom Google Play, and it shows that, from the Android runtime, the phone is vulnerable

SFOS has kernel version 3.10.49+0.0.78 ; the bug is in all kernels from 3.3-rc1 up to and including 4.13.1

An upstream kernel patch is available on

Most probably, all major Linux distributions will make available the updates, and we are waiting also for Jolla to do this.

edit flag offensive delete publish link more



you can't exploit aliendalvik because it's not accessible for bluetooth at all :D

coderus ( 2017-09-14 19:52:14 +0300 )edit

^^ Thats why the BlueBorne Vulnerability Scanner also crashes btw.

leszek ( 2017-09-14 21:22:28 +0300 )edit

The BlueBorne Vulnerability Scanner from Google Play can be used from an Android phone to scan also other devices for this vulneraility. I tested in this way, and the discovered JollaC bluetooth appeared vulnerable, but with yellow color, not with red, like a windows 7 laptop, so I think that the risk on JollaC is medium.

MariusP ( 2017-09-16 11:11:07 +0300 )edit

I tested the same and got a medium/yellow warning when scanned from the outside. However, I cannot find any documentation on which CVE:s result in which colours so the vulnerability scanner was only somewhat useful.

jwalck ( 2017-09-16 22:29:33 +0300 )edit

The app shows my Nexus 7 2013 as yellow but Moto G2 as red and they are running same sfos so it's weird.

Also this patch for kernel is only one part. The second part is to patch bluez.

Mister_Magister ( 2017-10-05 10:55:51 +0300 )edit

answered 2017-09-17 07:26:41 +0300

Goldman gravatar image

To developers: Any chance to Blueborne vulnerability will be patched in not yet released SF 2.1.1?

edit flag offensive delete publish link more



If the patch is simple and available for the kernel it should be no big problem for Jolla to recompile the kernel and ship this one as soon as possible. (not even waiting for 2.1.1 to be fixed as it is an urgent security fix)

leszek ( 2017-09-18 20:47:24 +0300 )edit

It is not yet fixed in 2.1.2.

William ( 2017-10-02 20:07:49 +0300 )edit

answered 2017-10-04 16:04:47 +0300

ghling gravatar image

So it seems BlueBorne could not have been fixed until the release of 2.1.2. Maybe someone from Jolla can update us on the status and (ideally) give us an estimation when it can be fixed?

edit flag offensive delete publish link more



The Blueborne issue has been fixed in a development version of 2.1.3. Our schedule is to roll 2.1.3 out towards the end of October.

jovirkku ( 2017-10-05 09:58:18 +0300 )edit

answered 2017-10-04 23:42:24 +0300

Mister_Magister gravatar image

updated 2017-10-05 17:25:47 +0300

I was going to try to patch my sailfishos port for that, i have already needed patches just need some time. If it will work i'll give everything to somebody who can actually put this into official sfos devices.

EDIT: No success, i've patched kernel (that part is fine i think) and bluez but it still detects my device :( Maybe bluez needs to be updated to latest version.

EDIT2: This may be app fault and it's actually patched so patches are in comments.

edit flag offensive delete publish link more



Seeing how Blueborne is a bluetooth stack attack and BlueZ is a bluetooth stack you obviously need to update BlueZ to fix this bug.

I don't mean to sound mean, but just patching the kernel is like servicing the suspension on your car and expecting this to fix a flat tyre.

L_A_G ( 2017-10-05 13:04:58 +0300 )edit

I said that i patched bluez didn'i? Patching kernel is first part of the blueborne fix and second part is patching bluez (which i obviously did)

Mister_Magister ( 2017-10-05 13:06:46 +0300 )edit

Umm... In your edit you said "Maybe bluez needs to be updated to latest version" which in combination with the issue not being fixed kind of suggests you haven't updated BlueZ to a version new new enough to contain the Blueborne fix.

L_A_G ( 2017-10-05 13:12:02 +0300 )edit

But i patched bluez means i fixed it for blueborne. I have the patch for bluez that fixes blueborne

Mister_Magister ( 2017-10-05 13:13:14 +0300 )edit

The fact that you're still vulnerable makes it pretty clear you don't have the patch that fixes the vulnerability used by Blueborne...

L_A_G ( 2017-10-05 13:15:06 +0300 )edit
Login/Signup to Answer

Question tools



Asked: 2017-09-12 18:14:21 +0300

Seen: 2,755 times

Last updated: Oct 05 '17