CVE-2020-15238
published 2020-10-27CVE-2020-15238: Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument…
PriorityP345high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
4.54%
90.4th percentile
Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name. Patches are included in 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept BlueZ network object paths instead of network interface names. A backport to 2.0(.8) is also available. As a workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blueman-project | blueman | < 2.1.4 | 2.1.4 |
| blueman_project | blueman | < 2.1.4 | 2.1.4 |
| blueman_project | blueman | >= 0 < 2.1.4-1 | 2.1.4-1 |
| blueman_project | blueman | >= 0 < 2.1.4-1 | 2.1.4-1 |
| blueman_project | blueman | >= 0 < 2.1.4-1 | 2.1.4-1 |
| blueman_project | blueman | >= 0 < 2.1.4-1 | 2.1.4-1 |
| blueman_project | blueman | >= 0 < 2.0.4-1ubuntu2.1 | 2.0.4-1ubuntu2.1 |
| blueman_project | blueman | >= 0 < 2.0.5-1ubuntu1.1 | 2.0.5-1ubuntu1.1 |
| blueman_project | blueman | >= 0 < 2.1.2-1ubuntu0.2 | 2.1.2-1ubuntu0.2 |
| blueman_project | blueman | >= 0 < 2.1.2-1ubuntu0.1 | 2.1.2-1ubuntu0.1 |
| debian | blueman | < blueman 2.1.4-1 (bookworm) | blueman 2.1.4-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.0HIGH
vendor_debian7.1HIGH
vendor_ubuntu7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
blueman vulnerability
osv·2020-11-03·CVSS 7.0
CVE-2020-15238 [HIGH] blueman vulnerability
blueman vulnerability
Vaisha Bernard discovered that blueman did not properly sanitize input on
the d-bus interface to blueman-mechanism. A local attacker could possibly
use this issue to escalate privileges and run arbitrary code or cause a
denial of service. (CVE-2020-15238)
While a previous security update fixed the issue, this update provides
additional improvements by enabling PolicyKit authentication for
privileged commands.
OSV
CVE-2020-15238: Blueman is a GTK+ Bluetooth Manager
osv·2020-10-27·CVSS 7.0
CVE-2020-15238 [HIGH] CVE-2020-15238: Blueman is a GTK+ Bluetooth Manager
Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and w
OSV
blueman vulnerability
osv·2020-10-27·CVSS 7.0
CVE-2020-15238 [HIGH] blueman vulnerability
blueman vulnerability
Vaisha Bernard discovered that blueman did not properly sanitize input on
the d-bus interface to blueman-mechanism. A local attacker could possibly
use this issue to escalate privileges and run arbitrary code or cause a
denial of service. (CVE-2020-15238)
Ubuntu
Blueman update
vendor_ubuntu·2020-11-03·CVSS 7.1
CVE-2020-15238 [HIGH] Blueman update
Title: Blueman update
Summary: A security improvement has been made to blueman.
Vaisha Bernard discovered that blueman did not properly sanitize input on
the d-bus interface to blueman-mechanism. A local attacker could possibly
use this issue to escalate privileges and run arbitrary code or cause a
denial of service. (CVE-2020-15238)
While a previous security update fixed the issue, this update provides
additional improvements by enabling PolicyKit authentication for
privileged commands.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Blueman vulnerability
vendor_ubuntu·2020-10-27·CVSS 7.1
CVE-2020-15238 [HIGH] Blueman vulnerability
Title: Blueman vulnerability
Summary: Blueman could be made to run programs if it received specially crafted input.
Vaisha Bernard discovered that blueman did not properly sanitize input on
the d-bus interface to blueman-mechanism. A local attacker could possibly
use this issue to escalate privileges and run arbitrary code or cause a
denial of service. (CVE-2020-15238)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2020-15238: blueman - Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient met...
vendor_debian·2020·CVSS 7.1
CVE-2020-15238 [HIGH] CVE-2020-15238: blueman - Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient met...
Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and w
No detection rules found.
Bugzilla
CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface [fedora-all]
bugzilla·2020-10-28·CVSS 7.1
CVE-2020-15238 [HIGH] CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface [fedora-all]
CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface
bugzilla·2020-10-28·CVSS 7.1
CVE-2020-15238 [HIGH] CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface
CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface
Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used
http://packetstormsecurity.com/files/159740/Blueman-Local-Root-Privilege-Escalation.htmlhttps://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287https://github.com/blueman-project/blueman/releases/tag/2.1.4https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwxhttps://lists.debian.org/debian-lts-announce/2020/11/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3F4EQU6CAPBKAPJ42HTB473NJLXFKB32/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFLMNHAHX5HPIKC5IG6F25HO5Z6RH2N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W52NP7HRFTNAVNZLGKY4GR3JIZG5KKGS/https://security.gentoo.org/glsa/202011-11https://www.debian.org/security/2020/dsa-4781http://packetstormsecurity.com/files/159740/Blueman-Local-Root-Privilege-Escalation.htmlhttps://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287https://github.com/blueman-project/blueman/releases/tag/2.1.4https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwxhttps://lists.debian.org/debian-lts-announce/2020/11/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3F4EQU6CAPBKAPJ42HTB473NJLXFKB32/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFLMNHAHX5HPIKC5IG6F25HO5Z6RH2N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W52NP7HRFTNAVNZLGKY4GR3JIZG5KKGS/https://security.gentoo.org/glsa/202011-11https://www.debian.org/security/2020/dsa-4781
2020-10-27
Published