They detected vulnerabilities in Linux that can be exploited through Bluetooth


If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems

The news recently broke thate two vulnerabilities were identified in the Linux kernel (already cataloged under CVE-2022-42896), which potentially can be used to orchestrate remote code execution at the kernel level by sending a specially crafted L2CAP packet over Bluetooth.

It is mentioned that the first vulnerability (CVE-2022-42896) occurs when accessing an already freed memory area (use-after-free) in the implementation of the l2cap_connect and l2cap_le_connect_req functions.

Failure leveraged after creating a channel via callback call new_connection, which does not block the setup for it, but does set a timer (__set_chan_timer), after a timeout, calling the function l2cap_chan_timeout and cleaning the channel without checking the completion of the work with the channel in the functions l2cap_le_connect*.

The default timeout is 40 seconds and it was assumed that a race condition could not occur with that much delay, but it turned out that due to another bug in the SMP driver, it was possible to instantly call the timer and reach the race condition.

A problem in l2cap_le_connect_req can cause a kernel memory leak, and in l2cap_connect you can overwrite the contents of memory and run your code. The first variant of the attack can be carried out using Bluetooth LE 4.0 (since 2009), the second using Bluetooth BR/EDR 5.2 (since 2020).

There are post-release vulnerabilities in the Linux kernel functions l2cap_connect and l2cap_le_connect_req net/bluetooth/l2cap_core.c that may allow code execution and kernel memory leak (respectively) remotely via Bluetooth. A remote attacker could execute code that leaks kernel memory over Bluetooth if in close proximity to the victim. We recommend updating the past commit

The second vulnerability that was detected (already cataloged under CVE-2022-42895) is caused by a residual memory leak in the l2cap_parse_conf_req function, which can be used to remotely obtain information about pointers to kernel structures by sending specially crafted configure requests.

About this vulnerability it is mentioned that in the l2cap_parse_conf_req function, the l2cap_conf_efs structure was used, for which the allocated memory was not previously initialized, and through manipulations with the FLAG_EFS_ENABLE flag, it was possible to achieve the inclusion of old data of the battery in the package.

the FLAG_EFS_ENABLE channel flag instead of the remote_efs variable to decide if the l2cap_conf_efs efs structure should be used or not and it is possible to set the FLAG_EFS_ENABLE flag without actually sending EFS configuration data and, in this case, the uninitialized l2cap_conf_efs efs structure will be sent back to the remote client, thus leaking information about the contents of kernel memory, including kernel pointers.

The problem only occurs on systems where the kernel it is built with the CONFIG_BT_HS option (disabled by default, but enabled on some distributions, like Ubuntu). A successful attack also requires setting the HCI_HS_ENABLED parameter via the management interface to true (it is not used by default).

On these two discovered bugs, the exploitation prototypes that run on Ubuntu 22.04 have already been released to demonstrate the possibility of a remote attack.

To carry out the attack, the attacker must be within Bluetooth range; no prior pairing is required, but Bluetooth must be active on the computer. For an attack, it is enough to know the MAC address of the victim's device, which can be determined by sniffing or, on some devices, calculated based on the Wi-Fi MAC address.

Finally it is worth mentioning that another similar problem was identified (CVE-2022-42895) in the L2CAP controller which can leak kernel memory content in configuration information packets. The first vulnerability has been manifested since August 2014 (kernel 3.16), and the second since October 2011 (kernel 3.0).

For those interested in tracking the correction in the distributions, they can do so on the following pages: DebianUbuntuGentooRHELSUSEFedoraArch .

The content of the article adheres to our principles of editorial ethics. To report an error click here.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.