On Mon, Oct 09, 2006 at 12:21:22AM +0200, Moritz Muehlenhoff wrote:
> Mikko Rapeli wrote:
> > This small bug affects sarge too so I'm cc'ing security. Attached patches
> > restrict the permissions for sarge and etch/sid so that non-root users can
> > not read the default pin value used in Bluetooth authentication.
^^^^^
This should have read 'file'.
> I know next to nothing about Bluetooth. What could a malicious user do
> with this pin value and why does it need to be kept secret if it's
> a default value (which I suppose is the same on all Debian installations?)
A default value is much worse than pin file readable by all, but if an adm
changed the pin and would like to keep it secret, then allowing everyone
on the system to read the file by default is not nice. The paranoid adm
should check the pin permissions too, but at least I failed that one for
quite some time. Guess I'm not that paranoid after all...
If a malicious user knows the pin, he can access the Bluetooth services
offered by the host from previously unknown Bluetooth addresses. If he also
can fake Bluetooth addresses and the Debian host allows re-pairing as it
does by default ('pairing multi' in /etc/bluetooth/hcid.conf), then he
can take over existing Bluetooth connections, and even pretend to be the
Debian box for other Bluetooth devices who trust this shared secret and
allow to create new link keys.
In most cases, this is just a minor bug. At least having a default pin
and 'pairing multi' on by default are much bigger issues, but it's a
security related deviation from upstream. I would like to see this fixed.
-Mikko
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
