CVE-2019-8922

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer.

Se ha detectado un desbordamiento del búfer en la región heap de la memoria en bluetoothd en BlueZ versiones hasta 5.48. No presenta ninguna comprobación sobre si presenta suficiente espacio en el buffer de destino. La función simplemente añade todos los datos que son pasados. Los valores de todos los atributos solicitados son añadidos al búfer de salida. No se presenta ningún tipo de comprobación de tamaño, resultando en un simple desbordamiento de la pila si es posible diseñar una petición en la que la respuesta sea lo suficientemente grande como para desbordar el búfer preasignado. Este problema se presenta cuando service_attr_req es llamado por process_request (en el archivo sdpd-request.c), que también asigna el buffer de respuesta

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-02-18 CVE Reserved
2021-11-29 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2024-08-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (3)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html	Mailing List
https://security.netapp.com/advisory/ntap-20211203-0002	Third Party Advisory

URL	Date	SRC
https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bluez Search vendor "Bluez"	Bluez Search vendor "Bluez" for product "Bluez"	<= 5.48 Search vendor "Bluez" for product "Bluez" and version " <= 5.48"	-	Affected	in	Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	-	-	Safe
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected