The Cybersecurity and Infrastructure Security Agency (CISA) has warned that the PoC code for the BrakTooth vulnerability in Bluetooth is already available on the Web.
BrakTooth is the common name for about twenty vulnerabilities in commercial Bluetooth Classic (BT) stacks, also affecting chips supporting Bluetooth versions 3.0 + HS to Bluetooth 5.2.
Vulnerabilities can be exploited to cause denial of service (DoS) by aborting a deadlock, and in some cases even to execute arbitrary code. To exploit the vulnerabilities, the attacker must be in the Bluetooth scope on the vulnerable device.
In a description of the vulnerability published in August 2021, security researchers reported that it affected 1,400 products at the time. However, the true number of vulnerable devices could be much higher as the BT stack is used in many products. In total, the problem is likely to affect about a million devices.
The most severe of the 16 bugs is CVE-2021-28139, which affects the ESP32 SoC used in many Bluetooth-based appliances ranging from consumer electronics to industrial equipment. Arising due to a lack of an out-of-bounds check in the library, the flaw enables an attacker to inject arbitrary code on vulnerable devices, including erasing its NVRAM data.
Other vulnerabilities could result in the Bluetooth functionality getting entirely disabled via arbitrary code execution, or cause a denial-of-service condition in laptops and smartphones employing Intel AX200 SoCs. "This vulnerability allows an attacker to forcibly disconnect slave BT devices currently connected to AX200 under Windows or Linux Laptops," the researchers said. "Similarly, Android phones such as Pocophone F1 and Oppo Reno 5G experience BT disruptions."
Following the posting of the PoC code for the BrakTooth vulnerability last week, CISA urged manufacturers, vendors, and developers to revise the code and apply the necessary updates as soon as possible.