A flaw use-after-free in the Linux kernel HCI subsystem was found in the way user detaches bluetooth dongle or other way triggers unregister bluetooth device event. A local user could use this flaw to crash the system or escalate their privileges on the system.
A flaw use-after-free in the Linux kernel HCI subsystem was found in the way user detaches bluetooth dongle or other way triggers unregister bluetooth device event. A local user could use this flaw to crash the system or escalate their privileges on the system.
This issue is rated as having a Moderate impact because of the privileges required for running the known reproducer. The required privileges is CAP_NET_ADMIN capabilities. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.
In order to exploit this issue the attacker needs CAP_NET_ADMIN capability, which needs to be granted especially by the administrator to the attacker's process. This in turn requires granting CAP_NET_ADMIN capability to the process binary and/or attacker's account.
Another possibility to obtain CAP_NET_ADMIN capability in Red Hat Enterprise Linux 7 for an attacker is running a process inside a user+network namespace with mapped root privileges inside the namespace. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local or remote unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.
Red Hat Enterprise Linux 8 enabled unprivileged user/network namespaces by default which can be used to exercise this vulnerability. However, for triggering the attack user both needs physical access to the device and local access or administrator privileges for emulation of bluetooth device unregister, so still considering Moderate impact.
A kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities.
Vulmon