SailfishOS and Blueborne bluetooth attack

Question

45

SailfishOS and Blueborne bluetooth attack

Tracked by Jolla (In release)

asked 2017-09-12 18:14:21 +0300

Fuzzillogic

4825 ●66 ●95 ●88

updated 2017-09-13 19:32:07 +0300

lpr
4819 ●186 ●253 ●257

http://www.uni-tuebingen....

Is SailfishOS currently affected by the Blueborne attack on bluetooth? Linux is explicitly vulnerable. But it also states that ASLR provides a degree of protection.

ASLR seems to be in place on my J1 on 2.1.1.26:

[nemo@Sailfish ~]$ cat /proc/sys/kernel/randomize_va_space 
2

This is good, it means ASLR enabled: "Full address space randomization. Contains the feature of value 1 in addition brk area is randomized.")

[nemo@Sailfish ~]$ file /usr/sbin/bluetoothd
/usr/sbin/bluetoothd: ELF 32-bit LSB  shared object, ARM, EABI5 version 1…

This is also good: "shared object" instead of "executable", the latter would indicate it has position dependent code, and therefor no ASLR.

Does this indeed indicate sufficient protection for now?

edit retag flag offensive close delete

Comments

5

More details here: https://www.armis.com/blueborne/ (via https://blog.fefe.de/?ts=a746ec57)

cy8aer ( 2017-09-13 00:01:07 +0300 )edit

7

CVE-2017-1000250 and CVE-2017-1000251 : https://access.redhat.com/security/vulnerabilities/blueborne
android-security-bulletin: Sep-2017 CVE-2017-0783 A-63145701
phoronix-article: link
proof of concept of ASLR workaround: link (dealing with stagefright and android4.4 on armv7 but I don't think we're save from an adapted attack in general)

lpr ( 2017-09-13 13:31:39 +0300 )edit

2

glad to see that jolla track it :-)

cemoi71 ( 2017-09-15 12:37:28 +0300 )edit

More details here: https://www.armis.com/blueborne/ (via https://blog.fefe.de/?ts=a746ec57)
cy8aer ( 2017-09-13 00:01:07 +0300 )edit
CVE-2017-1000250 and CVE-2017-1000251 : https://access.redhat.com/security/vulnerabilities/blueborne
android-security-bulletin: Sep-2017 CVE-2017-0783 A-63145701
phoronix-article: link
proof of concept of ASLR workaround: link (dealing with stagefright and android4.4 on armv7 but I don't think we're save from an adapted attack in general)
lpr ( 2017-09-13 13:31:39 +0300 )edit
glad to see that jolla track it :-)
cemoi71 ( 2017-09-15 12:37:28 +0300 )edit

Answer 1

12

answered 2017-09-13 11:05:17 +0300

L_A_G
1410 ●19 ●20 ●26

updated 2017-09-13 13:31:53 +0300

If Broadpwn (a recent exploit of Broadcom wi-fi chip firmware), along with a host of other exploits, can get past kernel ASLR I don't think it's going to stop Blueborne either. The only kernel feature I'm aware of that actually stops Blueborne (a kernel buffer overflow exploit) is Kernel Stack Protector, a kernel-level anti buffer overflow feature activated at compile time. It's not enabled on most distros, or Android for that matter, so I wouldn't be too surprised if it's not enabled on SailfishOS either.

Rather annoyingly the developers of the Blueborne exploit notified Google, Microsoft and Apple of what they had come up with in May, but the Linux kernel developers were briefed only last month so the fix is only now being deployed in more actively maintained distros. This could have been fixed with the recent significant update to BlueZ, but the patch was only just deployed so it's obviously not in the version SailfishOS is using.

edit flag offensive delete publish link

Comments

4

Debian just did a security patch for libbluetooth3 for stretch.

cy8aer ( 2017-09-13 15:00:47 +0300 )edit

Answer 2

11

answered 2017-09-14 18:57:17 +0300

MariusP
401 ●6 ●11 ●15

I tested on JollaC the BlueBorne Vulnerability Scannerfrom Google Play, and it shows that, from the Android runtime, the phone is vulnerable https://play.google.com/store/apps/details?id=com.armis.blueborne_detector

SFOS 2.1.1.26 has kernel version 3.10.49+0.0.78 ; the bug is in all kernels from 3.3-rc1 up to and including 4.13.1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251

An upstream kernel patch is available on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3

Most probably, all major Linux distributions will make available the updates, and we are waiting also for Jolla to do this.

edit flag offensive delete publish link

Comments

7

you can't exploit aliendalvik because it's not accessible for bluetooth at all :D

coderus ( 2017-09-14 19:52:14 +0300 )edit

6

^^ Thats why the BlueBorne Vulnerability Scanner also crashes btw.

leszek ( 2017-09-14 21:22:28 +0300 )edit

1

The BlueBorne Vulnerability Scanner from Google Play can be used from an Android phone to scan also other devices for this vulneraility. I tested in this way, and the discovered JollaC bluetooth appeared vulnerable, but with yellow color, not with red, like a windows 7 laptop, so I think that the risk on JollaC is medium.

MariusP ( 2017-09-16 11:11:07 +0300 )edit

I tested the same and got a medium/yellow warning when scanned from the outside. However, I cannot find any documentation on which CVE:s result in which colours so the vulnerability scanner was only somewhat useful.

jwalck ( 2017-09-16 22:29:33 +0300 )edit

The app shows my Nexus 7 2013 as yellow but Moto G2 as red and they are running same sfos so it's weird.

Also this patch for kernel is only one part. The second part is to patch bluez.

Mister_Magister ( 2017-10-05 10:55:51 +0300 )edit

Answer 3

5

answered 2017-09-17 07:26:41 +0300

Goldman
101 ●3 ●6 ●8

To developers: Any chance to Blueborne vulnerability will be patched in not yet released SF 2.1.1?

edit flag offensive delete publish link

Comments

1

If the patch is simple and available for the kernel it should be no big problem for Jolla to recompile the kernel and ship this one as soon as possible. (not even waiting for 2.1.1 to be fixed as it is an urgent security fix)

leszek ( 2017-09-18 20:47:24 +0300 )edit

1

It is not yet fixed in 2.1.2.

William ( 2017-10-02 20:07:49 +0300 )edit

Answer 4

4

answered 2017-10-04 16:04:47 +0300

ghling

4414 ●58 ●89 ●96

So it seems BlueBorne could not have been fixed until the release of 2.1.2. Maybe someone from Jolla can update us on the status and (ideally) give us an estimation when it can be fixed?

edit flag offensive delete publish link

Comments

7

The Blueborne issue has been fixed in a development version of 2.1.3. Our schedule is to roll 2.1.3 out towards the end of October.

jovirkku ( 2017-10-05 09:58:18 +0300 )edit

Answer 5

3

answered 2017-10-04 23:42:24 +0300

Mister_Magister
201 ●3 ●6 ●11

updated 2017-10-05 17:25:47 +0300

I was going to try to patch my sailfishos port for that, i have already needed patches just need some time. If it will work i'll give everything to somebody who can actually put this into official sfos devices.

EDIT: No success, i've patched kernel (that part is fine i think) and bluez but it still detects my device :( Maybe bluez needs to be updated to latest version.

EDIT2: This may be app fault and it's actually patched so patches are in comments.

edit flag offensive delete publish link

Comments

1

Seeing how Blueborne is a bluetooth stack attack and BlueZ is a bluetooth stack you obviously need to update BlueZ to fix this bug.

I don't mean to sound mean, but just patching the kernel is like servicing the suspension on your car and expecting this to fix a flat tyre.

L_A_G ( 2017-10-05 13:04:58 +0300 )edit

I said that i patched bluez didn'i? Patching kernel is first part of the blueborne fix and second part is patching bluez (which i obviously did)

Mister_Magister ( 2017-10-05 13:06:46 +0300 )edit

1

Umm... In your edit you said "Maybe bluez needs to be updated to latest version" which in combination with the issue not being fixed kind of suggests you haven't updated BlueZ to a version new new enough to contain the Blueborne fix.

L_A_G ( 2017-10-05 13:12:02 +0300 )edit

But i patched bluez means i fixed it for blueborne. I have the patch for bluez that fixes blueborne

Mister_Magister ( 2017-10-05 13:13:14 +0300 )edit

1

The fact that you're still vulnerable makes it pretty clear you don't have the patch that fixes the vulnerability used by Blueborne...

L_A_G ( 2017-10-05 13:15:06 +0300 )edit

SailfishOS and Blueborne bluetooth attack

Comments

5 Answers

Comments

Comments

Comments

Comments

Comments

Question tools

Stats

Related questions

SailfishOS and Blueborne bluetooth attack

Comments

5 Answers

Comments

Comments

Comments

Comments

Comments

Question tools

Public thread

Stats

Related questions