Earlier this year, on March 2018, we published a blog post detailing 2 vulnerabilities in the Android Bluetooth stack , which were independently discovered by Quarkslab, but were fixed in the March 2018 Android Security Bulletin while we were in the process of reporting them to Google.

Nonetheless, at the same time, we reported to the Android team three other security issues affecting its Bluetooth component. At the time only one of the three issues was acknowledged by the Android team, and it was closed as duplicated; the other two reports were ignored, however Google fixed both of them on the June and July 2018 Android security bulletins.

Introduction

By March 2018 we had reported to Google a few vulnerabilities in the Bluetooth stack of Android:

Issue 74882215: Bluetooth L2CAP L2CAP_CMD_CONN_REQ Remote Memory Disclosure

Issue 74889513: Bluetooth L2CAP L2CAP_CMD_DISC_REQ Remote Memory Disclosure

Issue 74917004: Bluetooth SMP smp_sm_event() OOB Array Indexing

The three of them were reported on March 15th, 2018. The first bug (issue 74882215) was the only one that got any response from the Android security team (not counting the gentle bot that automatically acknowledges bug reports and promptly asks you to sign the Google Contributor License Agreement): 11 days after our initial submission, issue 74882215 was marked as a duplicate of issue 74135099, which had been previously submitted by another external researcher on March 4th, 2018.

Regarding the other two vulnerabilities, we never received any answer from the Android team. However, we noticed that issue 74889513 was fixed with this commit, along with issue 74882215 and other similar OOB reads in the same function, in the June 2018 Android Security Bulletin. These two bugs are credited to Jianjun Dai (@Jioun_dai) and Guang Gong (@oldfresher) of Qihoo 360's Alpha Team, and they have CVEs assigned from the following set: {CVE-2018-9359, CVE-2018-9360, CVE-2018-9361} , although it is not clear exactly which ones.

The third bug report (issue 74917004) was also totally ignored by the Android team. However, we noticed that it was fixed in the July 2018 Security Bulletin (CVE-2018-9365) and it was rated as "Critical - RCE". It was credited to the same researchers mentioned above: Jianjun Dai and Guang Gong of Qihoo 360's Alpha Team. The fix for this bug is dated March 30th 2018, that is, 15 days after our report.

Last minute update: right after tweeting about issue 74917004, we received an update from the Android team on the Google Issue Tracker, stating that:

Issue 74917004 was a duplicate of issue 74051120, which was previously submitted by another researcher on March 2nd, 2018.

Issue 74889513 was a duplicate of issue 74125947, which was previously submitted by another researcher on March 5th, 2018.

Leaving vulnerability disclosure adventures aside, here are the technical details for the three issues that we have reported.