Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Well, this kernel Bluetooth exploit is depressing
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Well, this kernel Bluetooth exploit is depressing
It's rated as "high" by Intel:
https://security-tracker.debian.org/tra ... 2020-12351
We were just about ready to release MX 19.3, but now are going to wait until the patches land in Debian and we can backport the fixed kernel as needed. I guess we need to turn off the BT adapters if you're seeing some evil haxxor within 10 meters.
https://security-tracker.debian.org/tra ... 2020-12351
We were just about ready to release MX 19.3, but now are going to wait until the patches land in Debian and we can backport the fixed kernel as needed. I guess we need to turn off the BT adapters if you're seeing some evil haxxor within 10 meters.
MX Linux packager and developer
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Well, this kernel Bluetooth exploit is depressing
Code: Select all
tee /etc/modprobe.d/bluetooth.conf <<!
blacklist btusb
blacklist btrtl
blacklist btbcm
blacklist btintel
blacklist bluetooth
!
Double check for any stray modules to add to that list with
Code: Select all
/sbin/lsmod | grep blue
deadbang
Re: Well, this kernel Bluetooth exploit is depressing
You may have to wait awhile. According to the Intel site, the bug affects every kernel version prior to 5.10, and AFAIK there isn't even a release candidate for that yet. Even if a decision is made to patch every kernel in existence, which might or might not happen, it will take time to get all that done. I just won't allow any hackers inside my house for now. I don't allow anyone in anyway, hackers or not, except my son and his family, who I'm sure is quarantining because of his health issues. But just to make sure, I might keep the bluetooth disabled anyway.
Take my advice, I'm not using it.
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Well, this kernel Bluetooth exploit is depressing
That seems like a pain if I can just turn the adapter off with Blueman or tlp...can a l33t haxxor turn it on remotely if it's not even receiving? Hmmm-- this 95 yr old guy sitting near me could be a haxxor in a Mission Impossible latex mask. I should clock him one just to be safe.Head_on_a_Stick wrote:^ Run that from a root prompt (or prepend the tee command with sudo) to prevent any Bluetooth kernel modules from loading.Code: Select all
tee /etc/modprobe.d/bluetooth.conf <<! blacklist btusb blacklist btrtl blacklist btbcm blacklist btintel blacklist bluetooth !
Double check for any stray modules to add to that list withIf you are fortunate enough to own a ThinkPad then just disable the hardware from the firmware ("BIOS") options.Code: Select all
/sbin/lsmod | grep blue
I thought the flaw was in kernels before 5.9. Debian has a 5.9~rc8 kernel in Experimental, which is supposed to be the same as the final release except for the versioning. I backported it for Buster a few days ago just to see it I could build it, but haven't installed it and tested any DKMS builds with it yet. I was waiting for Debian to do a final version before doing that.
MX Linux packager and developer
Re: Well, this kernel Bluetooth exploit is depressing
All I know is what the Intel site said.
Affected Products:
All Linux kernel versions before 5.10 that support BlueZ.
Take my advice, I'm not using it.
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Well, this kernel Bluetooth exploit is depressing
I can't find anything about 5.10 in this link: https://www.intel.com/content/www/us/en ... 00435.html
Can you give me your link?
Edit: Ah, I see they removed any kernel version in 1.1, implying that it's any kernel that has the BlueZ stack.
Can you give me your link?
Edit: Ah, I see they removed any kernel version in 1.1, implying that it's any kernel that has the BlueZ stack.
MX Linux packager and developer
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Well, this kernel Bluetooth exploit is depressing
Well copy&pasting my code block should work fine and the method is universal and doesn't require extra packages.stevepusser wrote:That seems like a pain if I can just turn the adapter off with Blueman or tlp
deadbang
Re: Well, this kernel Bluetooth exploit is depressing
The quote was from here, https://www.intel.com/content/www/us/en ... 00435.html
That page has been modified as of 10/15 and the reference to kernel version numbers deleted.
That page has been modified as of 10/15 and the reference to kernel version numbers deleted.
Now it just says all kernels that support BlueZ. The link is down the page of the link in the OP.Revision History
Revision Date Description
1.0 10/13/2020 Initial Release
1.1 10/15/2020 Removed reference to Linux kernel version
Take my advice, I'm not using it.
Re: Well, this kernel Bluetooth exploit is depressing
Meta-comment: Bluetooth has never been secure and shouldn't ever be assumed to be secure even with the latest patched
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Well, this kernel Bluetooth exploit is depressing
The page now says a 5.9.1-1 kernel on the way to Sid repos fixes the issue, but it's not appearing in the repos I'm scanning yet. I presume that earlier kernels are now also getting patches and rebuilds. (crosses fingers, spits over left shoulder, avoids black cats)
MX Linux packager and developer
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Well, this kernel Bluetooth exploit is depressing
Does this page mean that Ubuntu "fixed it" just by disabling Bluetooth in the kernel config? Yikes!
https://people.canonical.com/~ubuntu-se ... 12351.html
https://people.canonical.com/~ubuntu-se ... 12351.html
MX Linux packager and developer
Re: Well, this kernel Bluetooth exploit is depressing
I'm not sure the "unstable" reference on the bug page is to Sid, Debian Unstable. The latest kernel in Experimental is still 5.9.0-rc8. I think the latest Linux kernel that is considered stable is 5.8. It seems to be taking some time to get the 5.9 kernel into any Debian repo. Although 5 days isn't really that long, 5.9 was only announced on the 12th. Actually, I just saw that 5.9.1 was released today, so 5.9 is considered stable now. Maybe we'll see it in Sid within a week or so.
Take my advice, I'm not using it.
Re: Well, this kernel Bluetooth exploit is depressing
Just did an update of Sid and kernel 5.9.1 was installed. The firmware didn't update, though, so I'm not going to reboot for awhile. I'm not positive that it will be updated, but I'm not in that much of a hurry to try the shiny new kernel. Tomorrow is soon enough.
Take my advice, I'm not using it.
-
- Posts: 428
- Joined: 2007-12-14 23:16
- Has thanked: 12 times
- Been thanked: 13 times
Re: Well, this kernel Bluetooth exploit is depressing
Not according to kernel.orgstevepusser wrote:Does this page mean that Ubuntu "fixed it" just by disabling Bluetooth in the kernel config? Yikes!
https://people.canonical.com/~ubuntu-se ... 12351.html
https://git.kernel.org/pub/scm/linux/ke ... 3720bd4d22
antiX with runit - lean and mean.
https://antixlinux.com
https://antixlinux.com
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Well, this kernel Bluetooth exploit is depressing
See https://kernel.org to find the current "stable" kernel version. And the sid kernel is now fixed: https://security-tracker.debian.org/tra ... 2020-12351sgosnell wrote:Actually, I just saw that 5.9.1 was released today, so 5.9 is considered stable now. Maybe we'll see it in Sid within a week or so.
deadbang
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Well, this kernel Bluetooth exploit is depressing
Yes, I have 5.9.1 backported and running on Buster, but most third party DKMS drivers won't build on it yet, the exception being the broadcom-sta-dkms package in backports. I don't what Debian is planning to do for Stretch and/or 5.8 kernels, either, or if there's going to be another 5.8 kernel release that includes the fix in the source in Sid--the 5.8 kernel is up to 5.8.16.Head_on_a_Stick wrote:See https://kernel.org to find the current "stable" kernel version. And the sid kernel is now fixed: https://security-tracker.debian.org/tra ... 2020-12351sgosnell wrote:Actually, I just saw that 5.9.1 was released today, so 5.9 is considered stable now. Maybe we'll see it in Sid within a week or so.
MX Linux packager and developer
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Well, this kernel Bluetooth exploit is depressing
I believe the latest Liquorix 5.8 kernels also incorporate the fix, though.
MX Linux packager and developer
Re: Well, this kernel Bluetooth exploit is depressing
Debian seems to be in somewhat of a flux right now. A vote is being taken on whether to stay with systemd or go to another init system, just to name one issue. I have zero insight into what the future might be for anything right now. But I can say that a bluetooth exploit is among the least of my worries. Now if I had a phone running Debian, my priorities might be different, but that ain't happening any time soon.
Take my advice, I'm not using it.
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Well, this kernel Bluetooth exploit is depressing
Well, I'm using BT earbuds right now on a Debian base, and I can't be the only one, can I?
Virtual Box 6.1.16 was added to Sid a couple days ago, and I backported it to Buster and Stretch MX bases, and can confirm it builds and works with the 5.9.1 kernel.
So surprise! I'm waiting on either a 5.8.16 kernel in Debian or a better Nvidia driver than the beta in Experimental. It's always Nvidia.
Virtual Box 6.1.16 was added to Sid a couple days ago, and I backported it to Buster and Stretch MX bases, and can confirm it builds and works with the 5.9.1 kernel.
So surprise! I'm waiting on either a 5.8.16 kernel in Debian or a better Nvidia driver than the beta in Experimental. It's always Nvidia.
MX Linux packager and developer