PublicDateAtUSN: 2020-03-12 21:15:00 UTC
Candidate: CVE-2020-0556
PublicDate: 2020-03-12 21:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
 https://www.openwall.com/lists/oss-security/2020/03/12/4
 https://ubuntu.com/security/notices/USN-4311-1
Description:
 Improper access control in subsystem for BlueZ before version 5.54 may
 allow an unauthenticated user to potentially enable escalation of privilege
 and denial of service via adjacent access
Ubuntu-Description: 
Notes: 
 amurray| Affects versions before 5.53 according to the Intel advisory
 mdeslaur> while the Intel advisory says "below 5.53", the commits that
 mdeslaur> actually fix the issue appear to have been added after 5.53 was
 mdeslaur> released. Marking focal as needed until further information is
 mdeslaur> available.
 mdeslaur> Intel advisory was updates on 2020-03-16 to change fixed version
 mdeslaur> to 5.54.
Mitigation: 
Bugs: 
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953770
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L [7.1 HIGH]


Patches_bluez:
 upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
 upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
 upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
 upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e
upstream_bluez: released (5.54)
precise/esm_bluez: DNE
trusty_bluez: ignored (out of standard support)
trusty/esm_bluez: DNE
xenial_bluez: released (5.37-0ubuntu5.3)
esm-infra/xenial_bluez: released (5.37-0ubuntu5.3)
bionic_bluez: released (5.48-0ubuntu3.4)
eoan_bluez: released (5.50-0ubuntu5.1)
devel_bluez: released (5.53-0ubuntu2)