[VIM] SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
Steven M. Christey
coley at linus.mitre.org
Mon Oct 23 18:04:09 EDT 2006
I've done a little bit more investigation but still don't have 100% proof
of acknowledgement for the latest report.
> The SecureWorks advisory speaks of a "flaw" and "memory stack
> corruption" but do not refer to this as a buffer overflow. The
> affected driver versions go up to 4.00.35.
> They include this as a cross-reference:
> Buffer Overrun in Toshiba Bluetooth Stack for Windows
> This document, published in June, only specifies versions up to
> 4.0.23, and it specifically states that there is a buffer overflow,
> and it even lists the attack vectors involving L2CAP Echo Requests.
> So - is there one bug or 2?
> The Toshiba URL they refer to includes a "PC Bluetooth Stack Security
> Patch 2" whose Details document says "Fix L2CAP echo issue" (it also
> mentions OBEX directory traversal but that is outside this particular
I decided to regard this as sufficient proof of vendor acknowledgement for
the June trifinite issue (CVE-2006-3146) since the L2CAP lines up and the
original researchers imply that they contacted Toshiba before disclosure.
The OBEX directory traversal issue is probably KF's report
> There's also a "PC Bluetooth Stack" section whose Details document
> says "Security fix", but the phrase "Bluetooth Stack 4.00.36(T)" seems
> to imply that 4.00.36 is also affected, which is inconsistent with the
> SecureWorks advisory.
This inconsistency has not been resolved, although at this point it seems
like they're reporting a different issue than the L2CAP problem, so I'm
treating it differently (CVE-2006-5405).
More information about the VIM