Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

• Date: October 11, 2006

Summary:

A flaw exists in the Toshiba Bluetooth wireless device driver, used bymultiple vendors, that allows a remote attacker within wireless range ofa Bluetooth device to perform a denial-of-service (DoS) attack orexecute arbitrary code at the highest privilege level.

Scope:

Toshiba Bluetooth host stack implementations version 3.xToshiba Bluetooth host stack implementations version 4 through 4.00.35, including all shipping OEM versions are vulnerable.Toshiba Bluetooth stacks running on 64-bit platforms are not vulnerable.Toshiba is the OEM for multiple vendor Bluetooth stacks including, but not limited to:

• Dell Computers
• Sony Vaio
• ASUS Computers
• and possibly other brands

 

Description:

Bluetooth is a standards-based wireless technology used for short-rangedata communications between electronic devices. The vulnerableBluetooth wireless device drivers are subject to potential attacksthrough specially crafted Bluetooth packets. An attacker canpotentially take advantage of these conditions to cause a memorycorruption, a system crash, and/or the execution of arbitrary code atthe highest privilege level. An attacker would need to be withinapproximately 10 meters of the victim. Additionally, an attacker wouldneed the Bluetooth address of the victim's device. Bluetooth addressesare easily enumerated through active scanning if the device allowsdiscovery.

Detection:

Users of Toshiba's Bluetooth stack are encouraged to check the currentBluetooth stack version by selecting: Version 3.x -- "Device Properties," then "General" Version 4.x -- "Options", then "General", then "Details"

Toshiba has advised that security patches are normally offered for allBluetooth stacks. Please consult the download details document forfurther information.

Users of Dell Bluetooth products are encouraged to verify the presenceand version of their Bluetooth stack by double-clicking on theBluetooth icon in the system tray to open the Bluetooth client utilityand selecting "Help", then "About".

Recommendations:

Toshiba has recommended that affected users visit their Bluetoothvendor's website for an updated Bluetooth stack. If a patch isunavailable, please visit the Toshiba Bluetooth website, which offerssecurity updates for all Bluetooth stacks including OEM versions, aswell as a Bluetooth Stack Security Pack at: http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php

Users of Dell Latitude D820/D620/D420/D520 are asked to verify theversion of their Bluetooth stack using the method described above. Ifyour version is not 4.00.22(D) SP2 or newer, then it is recommended thatusers upgrade to the latest driver versions located athttp://www.support.dell.com/.

Users of Dell Latitude D810/D610/D410/D510/X1 are asked to verify theversion of their Bluetooth stack using the method described above. Ifyour version is not 4.00.20(D) SP2 or newer, then it is recommendedthat users upgrade to the latest driver versions to be made availableby November 4th, 2006 at http://www.support.dell.com/.

Bluetooth device users should be set to non-discoverable mode duringnormal operations to reduce risk from this and other potential futureBluetooth attacks.

References:

• Toshiba: Bluetooth Download Page
• Dell Support
• Buffer Overrun in Toshiba Bluetooth Stack for Windows

CVSS Scoring

• Access Vector: Remote
• Access Complexity: High
• Authentication: Not Required
• Confidentiality: Complete
• Integrity: Complete
• Availability: Complete
• Impact Bias: Normal
• Score: 8.0

Credits

This vulnerability was discovered and researched by David Maynor ofSecureWorks, Inc. and Jon Ellch. SecureWorks would like to thankChristopher M. Davis and the entire Dell security response team as wellas Armin Scheruebl of Toshiba Europe GmbH and the Toshiba BluetoothSupport team for their response and coordination.

About Secureworks

Please direct all security research related inquiries to:

Allen Wilson(404) [email protected]

All media inquiries should be directed to:

Elizabeth Clarke(404) [email protected]

© Copyright 2006 SecureWorks, Inc.

This advisory may not be edited or modified in any way without theexpress written consent of SecureWorks, Inc. If you wish to reprintthis advisory or any portion or element thereof, please [email protected] to seek permission. Permission is herebygranted to link to this advisory via the SecureWorks web-site at http://www.secureworks.com/research/advisories/20061011-dell/ or use inaccordance with the fair use doctrine of U.S. copyright laws.

Disclaimer: The information within this advisory may change withoutnotice. The most recent version of this advisory may be found on theSecureWorks web site at www.secureworks.com for a limited period oftime. Use of this information constitutes acceptance for use in anAS IS condition. There are NO warranties, implied or otherwise, withregard to this information or its use. ANY USE OF THIS INFORMATION ISAT THE USER'S RISK. In no event shall SecureWorks be liable for anydamages whatsoever arising out of or in connection with the use orspread of this information.

SecureWorks PGP Key available on MIT's PGP key server and PGP.com's keyserver, as well ashttp://www.secureworks.com/contact/public_key.html

Revision History

1.0; October 11th, 2006 -- Initial advisory release