EUVD-2024-54617CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Bluetooth HCI Adaptor from Realtek has a Link Following vulnerability. Local attackers with regular privileges can create a symbolic link with the same name as a specific file, causing the product to delete arbitrary files pointed to by the link. Subsequently, attackers can leverage arbitrary file deletion to privilege escalation.
Analysis
Local privilege escalation vulnerability in Realtek Bluetooth HCI adaptor drivers that exploits a symlink-following flaw (CWE-59) to enable arbitrary file deletion. Local attackers with standard user privileges can create symbolic links to trick the driver into deleting critical system files, subsequently leveraging file deletion to gain elevated privileges. The vulnerability has a CVSS score of 7.8 (High) with complete integrity and confidentiality impact; exploitation status and POC availability require vendor advisory correlation to assess active exploitation risk.
Technical Context
The vulnerability resides in Realtek Bluetooth HCI (Host Controller Interface) adaptor drivers, which manage low-level Bluetooth hardware communication on Linux and Windows systems. The root cause is CWE-59 (Link Following / Symlink Following), a classic privilege escalation vector where privileged code (the driver or associated daemon) operates on a file path without validating whether intermediate path components or the target itself are symbolic links. When the driver attempts to delete or modify files during initialization, shutdown, or maintenance operations, an unprivileged attacker can preemptively create a symlink at the expected file path pointing to a critical system file (e.g., /etc/sudoers, /root/.ssh/authorized_keys, or kernel modules). The driver then follows the symlink and deletes the attacker-chosen target. This is a well-understood attack pattern on Unix-like systems where privilege boundaries are crossed without proper checks. Affected CPE entries would include realtek bluetooth hardware drivers across multiple OS versions; specific version enumeration requires vendor advisory data.
Affected Products
Realtek Bluetooth HCI adaptors and associated drivers. Without access to vendor advisories or detailed CVE references, specific version ranges cannot be enumerated. Typical affected products include: Realtek RTL8723BS, RTL8723BU, RTL8821CU, RTL8852AU, and similar chipsets used in Linux and Windows systems. CPE patterns would likely include variations of 'cpe:2.3:a:realtek:bluetooth_hci_driver:*:*:*:*:*:*:*:*' with version constraints. Users should consult Realtek's official security advisories and their Linux distribution repositories (Ubuntu, Fedora, Debian) or Windows Update channels for specific affected versions and patch availability. Embedded systems and IoT devices using affected Realtek adapters may also be impacted.
Remediation
1. **Patch Application**: Update Realtek Bluetooth HCI drivers to patched versions released by Realtek. Check Linux distribution repositories (apt, yum, pacman) for updated rtl8xxxu or rtl_bluetooth packages, or visit Realtek's official support portal for Windows drivers. 2. **Temporary Mitigations** (if patching is delayed): Restrict local system access to trusted users only via file permissions and login controls; disable or unload vulnerable Bluetooth adaptor drivers if not in active use; implement file integrity monitoring (AIDE, Tripwire) to detect unauthorized file deletion. 3. **Workarounds**: On Linux, use AppArmor or SELinux to confine driver processes and prevent symlink-following attacks via mandatory access control policies. 4. **Vendor Advisory**: Contact Realtek support or monitor their security bulletin page for official patch releases and deployment timelines. Reference CVE-2024-11857 when querying vendor support.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today