CVE-2023-40088 - Memory Corruption Vulnerability in com_android_bluetooth_btservice_AdapterService.cpp leading to possible Remote Code Execution
A recent vulnerability has been discovered in the Bluetooth service in the Android operating system, specifically within the com_android_bluetooth_btservice_AdapterService.cpp file. For those who are unaware of this component, it is responsible for managing the Bluetooth hardware and software stack in Android devices. The vulnerable component, callback_thread_event(), suffers from a memory corruption issue due to a use after free, which could potentially lead to remote code execution with no additional execution privileges needed. User interaction is not required for exploitation.
With the vulnerability assigned as CVE-2023-40088, it is concerning for users who utilize Bluetooth on their android devices for daily activities such as file sharing, connecting to wireless audio devices, or even using smart home IoT devices. Therefore, let's dive into the details of this CVE.
Exploit Details
The vulnerability lies in the callback_thread_event() method, a critical part of the Bluetooth stack. Here is a snippet of the vulnerable code in the com_android_bluetooth_btservice_AdapterService.cpp file:
static void callback_thread_event(bt_cb_thread_evt event) {
...
if(event == ASSOCIATE_JVM) {
JavaVM* vm = android::AndroidRuntime::getJavaVM();
JNIEnv* env = NULL;
if(vm->GetEnv((void**)&env, JNI_VERSION_1_6) != JNI_OK) {
ALOGE("Error while associating JVM");
return;
}
if (sJniCallbacksObj == NULL) {
env->DeleteGlobalRef(sJniCallbacksObj);
sJniCallbacksObj = NULL;
}
}
...
}
The memory corruption occurs when sJniCallbacksObj is mistakenly set to NULL before calling env->DeleteGlobalRef(sJniCallbacksObj). This results in a use after free scenario when sJniCallbacksObj is accessed later on.
This issue can be triggered by an attacker with close proximity to the vulnerable device, without requiring any user interaction. Since the exploit occurs within the Bluetooth stack, it can be exploited when the Bluetooth service is active or even when a device is "discoverable" but not connected to any other device.
Below are the links to the original sources describing the vulnerability details
1. Android Open Source Project (AOSP) Security Bulletin: https://source.android.com/security/bulletin
2. National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2023-40088
3. Android Bluetooth Stack source code: https://android.googlesource.com/platform/external/bluetooth/bluedroid/+/master/stack/
4. Google Developers documentation for Bluetooth Low Energy: https://developer.android.com/guide/topics/connectivity/bluetooth-le
Mitigation and Recommendations
Considering the severity of the issue, affected users are strongly advised to patch their devices with security updates that address CVE-2023-40088. Here are a few recommendations to ensure your device's safety:
Regularly check for available security updates for your device and install them promptly.
2. Limit the usage of Bluetooth (especially enabling the "discoverable" mode) in public or crowded places to minimize the risk of exploitation.
3. Always keep your device up-to-date with the latest firmware and software to reduce the chances of being affected by similar vulnerabilities in the future.
Conclusion
In summary, CVE-2023-40088 is a potentially severe memory corruption vulnerability in the Android Bluetooth service, which could result in remote code execution without user interaction. Due to the nature of the issue and its impact on users of Bluetooth-enabled devices, it is crucial for users to keep their devices updated and take necessary precautions to ensure their safety.
Timeline
Published on: 12/04/2023 23:15:24 UTC
Last modified on: 12/22/2023 01:15:10 UTC