CVE-2023-45866
Published: 6 December 2023
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
From the Ubuntu Security Team
It was discovered that BlueZ did not properly restrict non-bonded devices from injecting HID events into the input subsystem. This could allow a physically proximate attacker to inject keystrokes and execute arbitrary commands whilst the device is discoverable.
Notes
Author | Note |
---|---|
eslerm | underlying issue was addressed in CVE-2020-0556, but was not enabled and not compliant with Security Mode 4 |
eslerm | patch released ahead of public CRD |
Mitigation
In `/etc/bluetooth/input.conf` set `ClassicBondedOnly=true` and then `systemctl restart bluetooth`. Setting `ClassicBondedOnly=false` will re-enable legacy device support (like the PS3 controller) and the vulnerability.
Priority
Status
Package | Release | Status |
---|---|---|
bluez Launchpad, Ubuntu, Debian |
bionic |
Released
(5.48-0ubuntu3.9+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
focal |
Released
(5.53-0ubuntu3.7)
|
|
jammy |
Released
(5.64-0ubuntu1.1)
|
|
lunar |
Released
(5.66-0ubuntu1.1)
|
|
mantic |
Released
(5.68-0ubuntu1.1)
|
|
noble |
Pending
(5.70-0ubuntu3)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Released
(5.37-0ubuntu5.3+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
Patches: upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.3 |
Attack vector | Adjacent |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | Low |
Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |