CVE-2017-1000250

Publication date 12 September 2017

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.

From the Ubuntu Security Team

It was discovered that an information disclosure vulnerability existed in the Service Discovery Protocol (SDP) implementation in BlueZ. A physically proximate unauthenticated attacker could use this to disclose sensitive information.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
bluez	17.04 zesty	Fixed 5.43-0ubuntu1.1
	16.04 LTS xenial	Fixed 5.37-0ubuntu5.1
	14.04 LTS trusty	Fixed 4.101-0ubuntu13.3

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
bluez	Upstream: ?id=9e0

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Adjacent
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-3413-1
BlueZ vulnerability
12 September 2017