Julian Rauchberger

**Name of the Vulnerable Software and Affected Versions** BlueZ versions through 5.48 **Description** A heap-based buffer overflow was discovered in the bluetoothd component of BlueZ. The issue is caused by the lack of size checks when appending data to the output buffer in the `service attr req` function, which is called by `process request` in `sdpd-request.c`. This allows a remote attacker to craft a request that can overflow the preallocated buffer, potentially impacting the confidentiality, integrity, and availability of protected information. **Recommendations** For BlueZ versions through 5.48, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BlueZ versions through 5.48 **Description** The issue is related to the implementation of the SDP service in the Bluetooth protocol stack for Linux BlueZ, which is associated with insufficient authentication of data. This can allow a remote attacker to disclose protected information. The vulnerability lies in the handling of a SVC ATTR REQ by the SDP implementation, where crafting a malicious CSTATE can trick the server into returning more bytes than the buffer holds, resulting in the leaking of arbitrary heap data. The root cause is found in the `service attr req` function of `sdpd-request.c`, where the server does not check if the CSTATE data is the same in consecutive requests and instead trusts that it is the same. **Recommendations** For BlueZ versions through 5.48, consider disabling the `service attr req` function in `sdpd-request.c` as a temporary workaround until a patch is available. Restrict access to the SDP implementation to minimize the risk of exploitation. Avoid using the `CSTATE` data in consecutive requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.