Announced 8 December 2020

Score: High

Three Bluetooth vulnerabilities, one rated as high, affect the following IGEL products:

  • IGEL OS 11
  • IGEL OS 10

Details

Weaknesses in input validation and access control have been discovered in BlueZ, the Linux Bluetooth stack, and have been nicknamed "BleedingTooth". CVE-2020-12352 and CVE-2020-24490, both rated medium, may disclose information to an unauthenticated user nearby. CVE-2020-12351 is rated high as it may allow an unauthenticated user nearby to enable escalation of privilege.

Update Instructions

  • IGEL OS 11: Update to IGEL OS 11.04.240 or newer.
  • IGEL OS 10: Upgrade to IGEL OS 11.

Mitigation

Disable Bluetooth, see Bluetooth Assistant.

References

Intel BlueZ Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html