CVE-2020-27153 – CVE-2020-27153 is a double-free vulnerability i... (How to Fix)

Q: What is the severity of CVE-2020-27153?

CVE-2020-27153 has a CVSS score of 8.6 (HIGH). CVE-2020-27153 is a double-free vulnerability in BlueZ's gatttool disconnect_cb() function that allows remote attackers to potentially cause denial of service or execute arbitrary code during Bluetooth service discovery. This affects systems running BlueZ versions before 5.55, primarily Linux distributions with Bluetooth functionality enabled.

📋 TL;DR

CVE-2020-27153 is a double-free vulnerability in BlueZ's gatttool disconnect_cb() function that allows remote attackers to potentially cause denial of service or execute arbitrary code during Bluetooth service discovery. This affects systems running BlueZ versions before 5.55, primarily Linux distributions with Bluetooth functionality enabled.

💻 Affected Systems

Products:

BlueZ
Linux distributions with BlueZ package

Versions: BlueZ versions before 5.55

Operating Systems: Linux distributions including Ubuntu, Debian, Red Hat, SUSE, Arch

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Bluetooth enabled and BlueZ installed. gatttool must be running or accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Denial of service causing Bluetooth service crashes or system instability during Bluetooth discovery operations.

🟢

If Mitigated

Limited impact with proper network segmentation and Bluetooth disabled on critical systems.

🌐 Internet-Facing: LOW - Bluetooth typically has limited range and isn't directly internet-facing, though Bluetooth over IP could increase risk.

🏢 Internal Only: MEDIUM - Internal attackers within Bluetooth range could exploit this, particularly in shared office environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires Bluetooth proximity or network access to Bluetooth services. The double-free condition occurs during service discovery when redundant disconnect events are processed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BlueZ 5.55 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1884817

Restart Required: Yes

Instructions:

1. Update BlueZ package to version 5.55 or later using your distribution's package manager. 2. For Ubuntu/Debian: sudo apt update && sudo apt upgrade bluez. 3. For RHEL/CentOS: sudo yum update bluez. 4. Restart Bluetooth service: sudo systemctl restart bluetooth. 5. Reboot system to ensure all components are updated.

🔧 Temporary Workarounds

Disable Bluetooth Service

linux

Completely disable Bluetooth to prevent exploitation

sudo systemctl stop bluetooth
sudo systemctl disable bluetooth

Disable gatttool

linux

Remove or restrict access to the vulnerable gatttool component

sudo chmod 000 /usr/bin/gatttool
sudo mv /usr/bin/gatttool /usr/bin/gatttool.disabled

🧯 If You Can't Patch

Implement network segmentation to isolate Bluetooth-enabled devices from critical systems
Disable Bluetooth on all production servers and critical infrastructure

🔍 How to Verify

Check if Vulnerable:

Check BlueZ version with: bluetoothd --version or dpkg -l | grep bluez or rpm -q bluez. If version is below 5.55, system is vulnerable.

Check Version:

bluetoothd --version 2>/dev/null || dpkg -l | grep bluez || rpm -q bluez

Verify Fix Applied:

Verify BlueZ version is 5.55 or higher: bluetoothd --version. Test Bluetooth functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Multiple Bluetooth disconnect events in short timeframe
Bluetooth service crashes in system logs
Unexpected gatttool process terminations

Network Indicators:

Unusual Bluetooth discovery traffic patterns
Multiple connection attempts to Bluetooth services

SIEM Query:

source="systemd" "bluetooth" AND ("crash" OR "segfault" OR "double free")

📊 Metadata

CVE ID: CVE-2020-27153

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-415

Published: October 15, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00034.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00036.html Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1884817 Issue Tracking,Third Party Advisory
https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a Patch,Third Party Advisory
https://github.com/bluez/bluez/commit/5a180f2ec9edfacafd95e5fed20d36fe8e077f07 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00022.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202011-01 Third Party Advisory
https://www.debian.org/security/2021/dsa-4951 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00034.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00036.html Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1884817 Issue Tracking,Third Party Advisory
https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a Patch,Third Party Advisory
https://github.com/bluez/bluez/commit/5a180f2ec9edfacafd95e5fed20d36fe8e077f07 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00022.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202011-01 Third Party Advisory
https://www.debian.org/security/2021/dsa-4951 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27153, you might also want to check these: