Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Well, this kernel Bluetooth exploit is depressing

If none of the specific sub-forums seem right for your thread, ask here.
Message
Author
User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Well, this kernel Bluetooth exploit is depressing

#1 Post by stevepusser »

It's rated as "high" by Intel:

https://security-tracker.debian.org/tra ... 2020-12351

We were just about ready to release MX 19.3, but now are going to wait until the patches land in Debian and we can backport the fixed kernel as needed. I guess we need to turn off the BT adapters if you're seeing some evil haxxor within 10 meters.
MX Linux packager and developer

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Well, this kernel Bluetooth exploit is depressing

#2 Post by Head_on_a_Stick »

Code: Select all

tee /etc/modprobe.d/bluetooth.conf <<!
blacklist btusb
blacklist btrtl
blacklist btbcm
blacklist btintel
blacklist bluetooth
!
^ Run that from a root prompt (or prepend the tee command with sudo) to prevent any Bluetooth kernel modules from loading.

Double check for any stray modules to add to that list with

Code: Select all

/sbin/lsmod | grep blue
If you are fortunate enough to own a ThinkPad then just disable the hardware from the firmware ("BIOS") options.
deadbang

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: Well, this kernel Bluetooth exploit is depressing

#3 Post by sgosnell »

You may have to wait awhile. According to the Intel site, the bug affects every kernel version prior to 5.10, and AFAIK there isn't even a release candidate for that yet. Even if a decision is made to patch every kernel in existence, which might or might not happen, it will take time to get all that done. I just won't allow any hackers inside my house for now. I don't allow anyone in anyway, hackers or not, except my son and his family, who I'm sure is quarantining because of his health issues. But just to make sure, I might keep the bluetooth disabled anyway. 8)
Take my advice, I'm not using it.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Well, this kernel Bluetooth exploit is depressing

#4 Post by stevepusser »

Head_on_a_Stick wrote:

Code: Select all

tee /etc/modprobe.d/bluetooth.conf <<!
blacklist btusb
blacklist btrtl
blacklist btbcm
blacklist btintel
blacklist bluetooth
!
^ Run that from a root prompt (or prepend the tee command with sudo) to prevent any Bluetooth kernel modules from loading.

Double check for any stray modules to add to that list with

Code: Select all

/sbin/lsmod | grep blue
If you are fortunate enough to own a ThinkPad then just disable the hardware from the firmware ("BIOS") options.
That seems like a pain if I can just turn the adapter off with Blueman or tlp...can a l33t haxxor turn it on remotely if it's not even receiving? Hmmm-- this 95 yr old guy sitting near me could be a haxxor in a Mission Impossible latex mask. I should clock him one just to be safe.

I thought the flaw was in kernels before 5.9. Debian has a 5.9~rc8 kernel in Experimental, which is supposed to be the same as the final release except for the versioning. I backported it for Buster a few days ago just to see it I could build it, but haven't installed it and tested any DKMS builds with it yet. I was waiting for Debian to do a final version before doing that.
MX Linux packager and developer

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: Well, this kernel Bluetooth exploit is depressing

#5 Post by sgosnell »

All I know is what the Intel site said.
Affected Products:

All Linux kernel versions before 5.10 that support BlueZ.
Take my advice, I'm not using it.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Well, this kernel Bluetooth exploit is depressing

#6 Post by stevepusser »

I can't find anything about 5.10 in this link: https://www.intel.com/content/www/us/en ... 00435.html

Can you give me your link?

Edit: Ah, I see they removed any kernel version in 1.1, implying that it's any kernel that has the BlueZ stack.
MX Linux packager and developer

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Well, this kernel Bluetooth exploit is depressing

#7 Post by Head_on_a_Stick »

stevepusser wrote:That seems like a pain if I can just turn the adapter off with Blueman or tlp
Well copy&pasting my code block should work fine and the method is universal and doesn't require extra packages.
deadbang

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: Well, this kernel Bluetooth exploit is depressing

#8 Post by sgosnell »

The quote was from here, https://www.intel.com/content/www/us/en ... 00435.html
That page has been modified as of 10/15 and the reference to kernel version numbers deleted.
Revision History
Revision Date Description
1.0 10/13/2020 Initial Release
1.1 10/15/2020 Removed reference to Linux kernel version
Now it just says all kernels that support BlueZ. The link is down the page of the link in the OP.
Take my advice, I'm not using it.

User avatar
metreo
Posts: 20
Joined: 2020-10-08 19:15

Re: Well, this kernel Bluetooth exploit is depressing

#9 Post by metreo »

Meta-comment: Bluetooth has never been secure and shouldn't ever be assumed to be secure even with the latest patched

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Well, this kernel Bluetooth exploit is depressing

#10 Post by Head_on_a_Stick »

^ +1
deadbang

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Well, this kernel Bluetooth exploit is depressing

#11 Post by stevepusser »

The page now says a 5.9.1-1 kernel on the way to Sid repos fixes the issue, but it's not appearing in the repos I'm scanning yet. I presume that earlier kernels are now also getting patches and rebuilds. (crosses fingers, spits over left shoulder, avoids black cats)
MX Linux packager and developer

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Well, this kernel Bluetooth exploit is depressing

#12 Post by stevepusser »

Does this page mean that Ubuntu "fixed it" just by disabling Bluetooth in the kernel config? Yikes!

https://people.canonical.com/~ubuntu-se ... 12351.html
MX Linux packager and developer

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: Well, this kernel Bluetooth exploit is depressing

#13 Post by sgosnell »

I'm not sure the "unstable" reference on the bug page is to Sid, Debian Unstable. The latest kernel in Experimental is still 5.9.0-rc8. I think the latest Linux kernel that is considered stable is 5.8. It seems to be taking some time to get the 5.9 kernel into any Debian repo. Although 5 days isn't really that long, 5.9 was only announced on the 12th. Actually, I just saw that 5.9.1 was released today, so 5.9 is considered stable now. Maybe we'll see it in Sid within a week or so.
Take my advice, I'm not using it.

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: Well, this kernel Bluetooth exploit is depressing

#14 Post by sgosnell »

Just did an update of Sid and kernel 5.9.1 was installed. The firmware didn't update, though, so I'm not going to reboot for awhile. I'm not positive that it will be updated, but I'm not in that much of a hurry to try the shiny new kernel. Tomorrow is soon enough. :D
Take my advice, I'm not using it.

anticapitalista
Posts: 428
Joined: 2007-12-14 23:16
Has thanked: 12 times
Been thanked: 13 times

Re: Well, this kernel Bluetooth exploit is depressing

#15 Post by anticapitalista »

stevepusser wrote:Does this page mean that Ubuntu "fixed it" just by disabling Bluetooth in the kernel config? Yikes!

https://people.canonical.com/~ubuntu-se ... 12351.html
Not according to kernel.org


https://git.kernel.org/pub/scm/linux/ke ... 3720bd4d22
antiX with runit - lean and mean.
https://antixlinux.com

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Well, this kernel Bluetooth exploit is depressing

#16 Post by Head_on_a_Stick »

sgosnell wrote:Actually, I just saw that 5.9.1 was released today, so 5.9 is considered stable now. Maybe we'll see it in Sid within a week or so.
See https://kernel.org to find the current "stable" kernel version. And the sid kernel is now fixed: https://security-tracker.debian.org/tra ... 2020-12351
deadbang

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Well, this kernel Bluetooth exploit is depressing

#17 Post by stevepusser »

Head_on_a_Stick wrote:
sgosnell wrote:Actually, I just saw that 5.9.1 was released today, so 5.9 is considered stable now. Maybe we'll see it in Sid within a week or so.
See https://kernel.org to find the current "stable" kernel version. And the sid kernel is now fixed: https://security-tracker.debian.org/tra ... 2020-12351
Yes, I have 5.9.1 backported and running on Buster, but most third party DKMS drivers won't build on it yet, the exception being the broadcom-sta-dkms package in backports. I don't what Debian is planning to do for Stretch and/or 5.8 kernels, either, or if there's going to be another 5.8 kernel release that includes the fix in the source in Sid--the 5.8 kernel is up to 5.8.16.
MX Linux packager and developer

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Well, this kernel Bluetooth exploit is depressing

#18 Post by stevepusser »

I believe the latest Liquorix 5.8 kernels also incorporate the fix, though.
MX Linux packager and developer

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: Well, this kernel Bluetooth exploit is depressing

#19 Post by sgosnell »

Debian seems to be in somewhat of a flux right now. A vote is being taken on whether to stay with systemd or go to another init system, just to name one issue. I have zero insight into what the future might be for anything right now. But I can say that a bluetooth exploit is among the least of my worries. Now if I had a phone running Debian, my priorities might be different, but that ain't happening any time soon.
Take my advice, I'm not using it.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Well, this kernel Bluetooth exploit is depressing

#20 Post by stevepusser »

Well, I'm using BT earbuds right now on a Debian base, and I can't be the only one, can I?

Virtual Box 6.1.16 was added to Sid a couple days ago, and I backported it to Buster and Stretch MX bases, and can confirm it builds and works with the 5.9.1 kernel.

So surprise! I'm waiting on either a 5.8.16 kernel in Debian or a better Nvidia driver than the beta in Experimental. It's always Nvidia.
MX Linux packager and developer

Post Reply