February Android platform fixed a critical (CVE-2020-0022) in the Bluetooth stack, which allows organizing remote code execution by sending a specially crafted Bluetooth packet. The problem can be quietly exploited by an attacker who is within range of Bluetooth. It is possible that the vulnerability could be used to create worms that infect neighboring devices in a chain.
For an attack, it is enough to know the MAC address of the victim's device (pre-pairing is not required, but Bluetooth must be enabled on the device). On some devices, the Bluetooth MAC address can be calculated from the Wi-Fi MAC address. In case of successful exploitation of the vulnerability, the attacker can execute his code with the rights of the background process that coordinates the operation of Bluetooth in Android.
Issue specific to the Android Bluetooth stack (based on the BlueDroid project code from Broadcom) and does not appear in the BlueZ stack used on Linux.
The researchers who identified the problem were able to prepare a working prototype of the exploit, but the details of the operation will be later, after the fix is ββbrought to the main mass of users. It is only known that the vulnerability is present in the code for rebuilding packages and incorrect calculation of the size of L2CAP (Logical link control and adaptation protocol) packets, if the data transmitted by the sender exceeds the expected size.
On Android 8 and 9, the issue can lead to code execution, but on Android 10 it is limited to the crash of the Bluetooth background process. Older releases of Android are potentially affected, but exploitation has not been tested. Users are advised to install the firmware update as soon as possible, and if this is not possible, disable Bluetooth by default, prevent device discovery, and activate Bluetooth in public places only when absolutely necessary (including replacing wireless headphones with wired ones).
In addition to the problem noted in The Android security patch set addressed 26 vulnerabilities, of which one more vulnerability (CVE-2020-0023) was rated Critical. The second vulnerability Bluetooth stack and is related to the incorrect handling of the BLUETOOTH_PRIVILEGED privilege in setPhonebookAccessPermission. As for the vulnerabilities marked as dangerous, 7 issues were fixed in frameworks and applications, 4 in system components, 2 in the kernel, and 10 in open and proprietary components for Qualcomm chips.
Source: opennet.ru