Linux Kernel Bluetooth L2CAP Encryption Key Size Vulnerability

A vulnerability in the Linux kernel's Bluetooth implementation has been addressed. The issue was related to the L2CAP (Logical Link Control and Adaptation Protocol) layer, where the encryption key size was not properly validated on incoming connections. This vulnerability affected the Bluetooth stack in the kernel, specifically in the L2CAP layer, and was introduced in a commit that removed the key size check. The vulnerability was identified during testing with the Bluetooth Qualification Program's Protocol Test Suite (PTS), which revealed that the key size could be insufficient, potentially leading to security issues.

Impact

The vulnerability could cause the Bluetooth stack to accept connections with invalid encryption key sizes, which may lead to unauthorized access or manipulation of data over the Bluetooth connection.

Reproduction

The vulnerability can be reproduced by initiating a Bluetooth L2CAP connection while the encryption key size is set to an invalid value. This can be done using a Bluetooth device that does not comply with the required key size specifications. The connection request will be accepted, despite the key size being inadequate, which can be verified by checking the connection response and the key size reported in the HCI (Host Controller Interface) logs.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the documentation for the specific Linux distribution being used.