|
| |
|
Security Intelligence Operations
Microsoft Windows Bluetooth Stack Service Description Requests Code Execution Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Unintended Weakness: Arbitrary Code Execution |
|
| IntelliShield ID: | 15994 |
| Version: | 4 |
| First Published: | June 10, 2008 02:59 PM EDT |
| Last Published: | June 19, 2008 06:24 PM EDT |
| Vector: | Adjacent Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2008-1453 |
| BugTraq ID: | 29522 |
| |
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
| CVSS Base: | 7.9 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 5.8 |
|
|
| |
| Version Summary: | Microsoft has re-released software updates to correct the Bluetooth stack service description requests code execution vulnerability in Microsoft Windows XP. The original updates for Microsoft Windows XP SP1 and SP2 and Microsoft Windows XP Professional SP1 and SP2 did not fix the vulnerability. |
| |
| |
| Description |
|
Microsoft Windows Bluetooth stack contains a vulnerability that can allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
The vulnerability is due to improper handling of service description requests. An unauthenticated, remote attacker could exploit the vulnerability by submitting a large number of malicious packets designed to trigger the error. If successful, the attacker could gain the ability to execute arbitrary code with elevated privileges.
Microsoft has confirmed the vulnerability in a security bulletin and released software updates. |
| |
| Warning Indicators |
|
The following Microsoft products are vulnerable:
Windows XP SP3 and prior
Windows XP x64 and x64 SP2
Windows Vista SP1 and prior
Windows Vista x64 SP1 and prior |
| |
| IntelliShield Analysis |
|
Unlike many remote attacks, to exploit this vulnerability an attacker will likely need to be within 30 feet of the affected system. This drastically reduces the attack surface of affected systems. Desktop systems that use Bluetooth technology are unlikely to be attackable by untrusted entities. Mobile devices, however, may be open to attack when they are used in busy public areas, such as coffee shops or airports. Additionally, only devices that accept connections from untrusted devices or computers are likely to be affected.
An attacker who is able to exploit the vulnerability will likely gain the ability to execute arbitrary code with kernel-level privileges, likely leading to the complete compromise of the affected system.
Microsoft has corrected this vulnerability by improving the way a flood of requests is handled by the Bluetooth stack.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities disclosed in this month's Microsoft security bulletin release that can be identified or mitigated using Cisco devices. This Cisco bulletin is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for June 2008 |
| |
 Vendor Announcements |
|
Microsoft has released a security bulletin at the following link: MS08-030
Nortel has released a security bulletin at the following link: 2008008895 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with elevated privileges. An exploit could allow the attacker to gain complete control over an affected system. |
| |
| Technical Information |
|
The vulnerability exists due to a failure to properly handle an exceptional condition that may occur when processing a large number of successive service description requests. When an affected system with an enabled Bluetooth stack processes such a request, system memory may be corrupted in an exploitable manner.
An unauthenticated, remote attacker within the local proximity of an affected system could exploit the vulnerability by sending a large number of malicious requests to an affected system. A successful exploit could allow the attacker to corrupt system memory, potentially leading to the execution of arbitrary code with elevated privileges. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate software updates.
Administrators may wish to disable the Bluetooth driver until the update can be applied.
Administrators can prevent new Bluetooth connections by disabling the Allow Bluetooth devices to find this computer option under the Bluetooth Devices option in the Control Panel. |
| |
| Patches/Software |
|
Microsoft has released updated software at the following links:
Windows XP SP2 and SP3
Windows XP Professional x64 Edition SP2 and prior
Windows Vista SP1 and prior
Windows Vista x64 Edition SP1 and prior |
|
| |
| Alert History |
| |
Version 3, Jun 17, 2008, 3:46 PM: Nortel has released a security bulletin to address the Bluetooth stack service description requests code execution vulnerability in Microsoft Windows.
Version 2, June 12, 2008, 5:11 PM: IntelliShield is updating this alert to include common vulnerability identification information.
Version 1, June 10, 2008, 2:59 PM: Microsoft Windows Bluetooth stack contains a vulnerability that can allow an unauthenticated, remote attacker to execute arbitrary code. Updates are available. |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
