CVE-2024-11857
📋 TL;DR
This CVE describes a Link Following vulnerability in Realtek Bluetooth HCI Adaptor that allows local attackers with regular privileges to create symbolic links causing arbitrary file deletion. Attackers can leverage this to escalate privileges on affected systems. Users with Realtek Bluetooth adaptors on their systems are potentially affected.
💻 Affected Systems
- Realtek Bluetooth HCI Adaptor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation leading to complete control of the affected system.
Likely Case
Local privilege escalation allowing attackers to gain elevated privileges and potentially install malware or access sensitive data.
If Mitigated
Limited impact if proper file permissions and access controls prevent symbolic link creation in critical directories.
🎯 Exploit Status
Exploitation requires local access and knowledge of specific file paths used by the Bluetooth driver.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Realtek or system vendor for specific patched driver versions
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-10161-fa1b5-2.html
Restart Required: Yes
Instructions:
1. Check with your system vendor for updated Bluetooth drivers. 2. Download and install the patched driver version. 3. Restart the system to apply changes.
🔧 Temporary Workarounds
Restrict symbolic link creation
linuxImplement filesystem policies to restrict symbolic link creation in directories used by Bluetooth services
chmod 1777 /tmp
setfacl -m u:bluetooth:rwx /var/lib/bluetooth
Disable Bluetooth service
linuxTemporarily disable Bluetooth services if not required
sudo systemctl stop bluetooth
sudo systemctl disable bluetooth
🧯 If You Can't Patch
- Implement strict file permissions on Bluetooth-related directories
- Monitor for suspicious symbolic link creation in system directories
🔍 How to Verify
Check if Vulnerable:
Check if Realtek Bluetooth driver is installed: lsmod | grep -i realtek && lsusb | grep -i realtekCheck Version:
modinfo rtk_btusb | grep versionVerify Fix Applied:
Verify updated driver version is installed and check vendor advisory for specific version numbers📡 Detection & Monitoring
Log Indicators:
- Unusual symbolic link creation in /tmp or Bluetooth directories
- Failed file deletion attempts with permission errors
Network Indicators:
- Local privilege escalation attempts following Bluetooth service activity
SIEM Query:
process_name="ln" AND command_line="-s" AND target_directory IN ("/tmp", "/var/lib/bluetooth")