Unauthenticated Injection of HID Messages via Bluetooth HID Hosts in BlueZ

CVE-2023-45866

6.3MEDIUM

Key Information

Vendor
BlueZ
Status
Android
Vendor
CVE Published:
8 December 2023

Badges

πŸ˜„ TrendedπŸ‘Ύ Exploit ExistsπŸ”΄ Public PoCπŸ“° News Worthy

Summary

CVE-2023-45866 is a Bluetooth vulnerability affecting the BlueZ software, which can lead to the injection of HID messages by unauthenticated devices. This vulnerability could potentially impact Linux-based systems and Ubuntu 22.04LTS. Apple has released patches to fix 12 vulnerabilities on various platforms, including the CVE-2023-45866. The new security mode introduced by Apple, called Stolen Device Protection, aims to protect sensitive data in cases of stolen passcodes by requiring FaceID for access. Security researcher Marc Newlin also discovered a Bluetooth bug that allows attackers to take over user devices, affecting Android, Linux, macOS, and iOS. Apple has released patches to address this vulnerability, and the tech giant is encouraging the community to continue probing Bluetooth flaws.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Critical Bluetooth security flaw discovered in Google, Apple and Linux devices - SiliconANGLE

Critical Bluetooth security flaw discovered in Google, Apple and Linux devices - SiliconANGLE

2 days ago

Bluetooth Vulnerability Enables Keystroke Injection on Android, Linux, macOS, iOS

Another day, another Bluetooth vulnerability impacting billions of devices worldwide!

4 days ago

This Bluetooth security flaw could be used to hijack Apple and Linux devices

Experts uncover new way to trick devices via Bluetooth

4 days ago

Refferences

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ”΄

    Public PoC available

  • Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • First article discovered by Theregister

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database4 Proof of Concept(s)10 News Article(s)
.