Endpoint Protection

Hello,

It will be nice to know more about this vulnerability and if SEP provides protection in case of OS mobile and desktop.

Info in media:

https://www.armis.com/blueborne/

https://techcrunch.com/2017/09/12/new-bluetooth-vulnerability-can-hack-a-phone-in-ten-seconds/

https://www.youtube.com/watch?v=QrHbZPO9Rnc

From ARMIS website:

Windows

All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-8628).

Microsoft is issuing security patches to all supported Windows versions at 10 AM, Tuesday, September 12. We recommend that Windows users should check with the Microsoft release here for the latest information.

Linux
Linux is the underlying operating system for a wide range of devices. The most commercial, and consumer-oriented platform based on Linux is the Tizen OS.

• All Linux devices running BlueZ are affected by the information leak vulnerability (CVE-2017-1000250).
• All Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (CVE-2017-1000251).

Examples of impacted devices:

• Samsung Gear S3 (Smartwatch)
• Samsung Smart TVs
• Samsung Family Hub (Smart refrigerator)

Information on Linux updates will be provided as soon as they are live.

iOS

Details about this vulnerability just came out yesterday. Nothing is availble yet, though, I would expect it soon. I'd check back here over the next couple of days.

Thanks Brian,

There is a nice report in armis website with more info:

http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963

All CVE.

1.Linux​ ​kernel​ ​RCE​ ​vulnerability​ ​-​ ​CVE-2017-1000251

2.Linux​ ​Bluetooth​ ​stack​ ​(BlueZ)​ ​information Leak​ ​ ​vulnerability  -​ ​ ​CVE-2017-1000250           

3.Android​ ​information​ ​Leak​ ​vulnerability​ ​- ​ CVE-2017-0785​ 

4.Android​ ​RCE​ ​vulnerability ​ #1​   ​ -​ ​ CVE-2017-0781​          

5.Android ​ ​RCE​ ​vulnerability​ ​#2​ ​- ​ ​CVE-2017-0782

6.The​ ​Bluetooth​ ​Pineapple​ ​in​ ​Android ​-​​ ​Logical ​ ​Flaw​ ​CVE-2017-0783 

7.The ​ Bluetooth​   Pineapple ​ in​ ​ Windows ​- ​ Logical​ ​Flaw​ ​CVE-2017-8628

8.Apple ​ Low​  Energy​ ​ Audio​   ​ Protocol​   RCE​ ​​vulnerability​ ​-​ ​CVE-2017-14315 

Symantec September bulletin:

http://www.symantec.com/docs/TECH247557

As of now, the signatures for CVE2017-8628 are "Under Review"

Simply put, the BlueBorne vulnerabilities, as well as some other similar vulnerabilities discovered in the last months, would allow attackers to exploit the underlying OS and execute arbitraty code.

When it comes to protecting iOS and Android devices, SEP Mobile (previously known as Skycure) would be the right product to put in place since it does provide 0-day protection (i.e.: no upgrades/updates required) against attacks exploiting the vulnerabilities dubbed BlueBorne, as well as several other similar physical level vulnerabilities (Bluetooth, NFC, malicious charging stations, etc) published over the last months or based on other vulnerabilities not published yet.

SEP Mobile includes several layers of protection which will trigger depending on the specifics of the attack using the vulnerabilities above:

• SEP Moblie's capabilities for detection of IoCs will identify cases when the OS is being exploited to execute arbitray code,regardless of the attack vector.
• SEP Mobile's network based attack detection, would trigger a VPN connection to capture and block the malicious traffic in the cloud.
• SEP Mobiles's Mobile NAC will also trigger here and would move any affected device to a non-compliant state, and this will trigger additional policies to protect corporate applications (normally prevent the application from being launched but also alert the EMM, tunnel through a VPN and others).

Please, stay tunned as more details will be released soon.

Hi seguridad,

The possible security concern is also under investigation from a traditional SEP point of view.  I will update this thread when that is complete.

An obvious countermeasure is to not enable Bluetooth unless using it at that moment.  Don't just leave it on and forget about it! 

Hi again seguridad,

Just to update: I definitely recommend applying vendor patches to correct this vulnerability.  Traditional AV and IPS protections are not feasible blocks for the activity described.

This blog just came out:

https://www.symantec.com/connect/blogs/blueborne-new-bluetooth-attack-vector-endangers-8-billion-devices

Thanks Brian.. Waiting for Windows devices that can be used as a vector of infection.

---

As soon as BlueBorne attempts to infiltrate a mobile device protected by SEP Mobile, we would flag that as malicious activity and activate the appropriate protections to keep the device and sensitive data safe. Other detections will alert and automatically protect if an attacker attempts to achieve network MiTM, regardless of the exploit. SEP Mobile now also explicitly alerts for systems that are vulnerable to CVE-2017-0783.

--- 

I wonder with the other CVE's if they are patched in Windows or still need additional patch.

Extra note for Android users:

The latest Norton Halt exploit defender (version 6.1.0) is available for download.

https://play.google.com/store/apps/details?id=com.symantec.android.nfr&hl=en

What’s NEW?

• Added detection for the BlueBorne vulnerability