CVE-2023-45866
First published: Mon Dec 04 2023(Updated: )
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
Credit: Marc Newlin SkySafeMarc Newlin SkySafe cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bluez | <=5.55-3.1<=5.66-1<=5.70-1 | 5.70-1.1~exp0 5.70-1.1 5.66-1+deb12u1 5.55-3.1+deb11u1 |
| Apple iOS | ||
| Apple macOS | ||
| Android Android | =4.2.2-10 | |
| Linux Linux | ||
| Ubuntu Ubuntu | =18.04 | |
| Ubuntu Ubuntu | =20.04 | |
| Ubuntu Ubuntu | =22.04 | |
| Ubuntu Ubuntu | =23.10 | |
| ubuntu/bluez | <5.37-0ubuntu5.3+ | 5.37-0ubuntu5.3+ |
| ubuntu/bluez | <5.48-0ubuntu3.9+ | 5.48-0ubuntu3.9+ |
| ubuntu/bluez | <5.53-0ubuntu3.7 | 5.53-0ubuntu3.7 |
| ubuntu/bluez | <5.64-0ubuntu1.1 | 5.64-0ubuntu1.1 |
| ubuntu/bluez | <5.66-0ubuntu1.1 | 5.66-0ubuntu1.1 |
| ubuntu/bluez | <5.68-0ubuntu1.1 | 5.68-0ubuntu1.1 |
| debian/bluez | <=5.50-1.2~deb10u2 | 5.50-1.2~deb10u4 5.55-3.1+deb11u1 5.66-1+deb12u1 5.71-1 |
| Google Android | ||
| Apple macOS Sonoma | <14.2 | 14.2 |
| Apple iOS | <17.2 | 17.2 |
| Apple iPadOS | <17.2 | 17.2 |
| All of | ||
| Google Android | =4.2.2 | |
| Bluproducts Dash | =3.5 | |
| All of | ||
| Google Android | =6.0.1 | |
| Google Nexus 5 | ||
| All of | ||
| Any of | ||
| Google Android | =10.0 | |
| Google Android | =11.0 | |
| Google Pixel 2 | ||
| All of | ||
| Google Android | =13.0 | |
| Any of | ||
| Google Pixel 4a | ||
| Google Pixel 6 | ||
| All of | ||
| Google Android | =14.0 | |
| Google Pixel 7 | ||
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| Canonical Ubuntu Linux | =22.04 | |
| Canonical Ubuntu Linux | =23.10 | |
| All of | ||
| Apple iPhone OS | =16.6 | |
| Apple Iphone Se | ||
| All of | ||
| Apple macOS | =12.6.7 | |
| Apple Macbook Air | =2017 | |
| All of | ||
| Apple macOS | =13.3.3 | |
| Apple Macbook Pro | =m2 | |
| Fedoraproject Fedora | =38 | |
| Fedoraproject Fedora | =39 | |
| Apple Ipad Os | <17.2 | |
| Apple iPhone OS | <17.2 | |
| Apple macOS | >=14.0<14.2 | |
| Debian Debian Linux | =10.0 |
Remedy
In `/etc/bluetooth/input.conf` set `ClassicBondedOnly=true` and then `systemctl restart bluetooth`. Setting `ClassicBondedOnly=false` will re-enable legacy device support (like the PS3 controller) and the vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2023-45866
- https://security-tracker.debian.org/tracker/CVE-2020-0556
- https://www.cve.org/CVERecord?id=CVE-2023-45866
- https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057914
- https://bluetooth.com
- http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1/changelog
- https://github.com/skysafe/reblog/tree/main/cve-2023-45866
- https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2N2P5LMP3V7IJONALV2KOFL4NUU23CJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/
- https://support.apple.com/kb/HT214036
- https://support.apple.com/kb/HT214035
- http://seclists.org/fulldisclosure/2023/Dec/9
- http://seclists.org/fulldisclosure/2023/Dec/7
- https://lists.debian.org/debian-lts-announce/2023/12/msg00011.html
- https://www.debian.org/security/2023/dsa-5584
- https://security.gentoo.org/glsa/202401-03
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2N2P5LMP3V7IJONALV2KOFL4NUU23CJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/77YQQS5FXPYE6WBBZO3REFIRAUJHERFA/
- https://launchpad.net/bugs/cve/CVE-2023-45866
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45866
- https://ubuntu.com/security/notices/USN-6540-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-45866
- https://ubuntu.com/security/CVE-2023-45866
- https://support.apple.com/en-us/HT214036 (Advisory)
- https://support.apple.com/en-us/HT214035 (Advisory)
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/25a7d9aaceea0f7d6cb4ae3da5aa66efb0bc7db8
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/f4e439c22354f0aa868a982bc88bcc9de3bc37f7
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/a99edb35d6c044dbd607a74b88102bf2f36d5ef5
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/9194524a92e0f5859caeab1ff487d21d9b513d0b
- https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5673b3c6bbe8c6c9edb8afb5e9499dc3a41d3943
- https://source.android.com/docs/security/bulletin/2023-12-01 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2253392
- https://access.redhat.com/errata/RHSA-2024:9413
- https://bugzilla.redhat.com/show_bug.cgi?id=2253391
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2023-42874
- CVE-2023-42937
- CVE-2023-42919
- CVE-2023-42894
- CVE-2023-42901
- CVE-2023-42902
- CVE-2023-42912
- CVE-2023-42903
- CVE-2023-42904
- CVE-2023-42905
- CVE-2023-42906
- CVE-2023-42907
- CVE-2023-42908
- CVE-2023-42909
- CVE-2023-42910
- CVE-2023-42911
- CVE-2023-42926
- CVE-2023-42882
- CVE-2023-42881
- CVE-2023-42924
- CVE-2023-42896
- CVE-2023-42884
- CVE-2023-45866
- CVE-2023-42900
- CVE-2023-42886
- CVE-2023-38545
- CVE-2023-38039
- CVE-2023-38546
- CVE-2023-42931
- CVE-2023-42892
- CVE-2023-42922
- CVE-2023-42898
- CVE-2023-42899
- CVE-2023-42888
- CVE-2023-42891
- CVE-2023-42974
- CVE-2023-42914
- CVE-2023-42893
- CVE-2023-3618
- CVE-2020-19185
- CVE-2020-19186
- CVE-2020-19187
- CVE-2020-19188
- CVE-2020-19189
- CVE-2020-19190
- CVE-2023-42887
- CVE-2023-42936
- CVE-2023-40390
- CVE-2023-42842
- CVE-2023-42930
- CVE-2023-42913
- CVE-2023-42932
- CVE-2023-42947
- CVE-2023-40389
- CVE-2023-5344
- CVE-2023-42890
- CVE-2023-42883
- CVE-2023-42950
- CVE-2023-42956
- CVE-2023-42941
- CVE-2023-42962
- CVE-2023-42923
- CVE-2023-42897
Frequently Asked Questions
What is CVE-2023-45866?
CVE-2023-45866 is a vulnerability in the HID Profile of multiple Bluetooth host stacks that allows connections without MITM protection and user confirmation.
Which software products are affected by CVE-2023-45866?
CVE-2023-45866 affects Google Android, Apple iOS, Apple macOS, Android 4.2.2-10, Linux, and various versions of Ubuntu with the BlueZ package.
What is the severity of CVE-2023-45866?
CVE-2023-45866 has a severity level of critical with a severity value of 9.
How can I mitigate CVE-2023-45866 on Ubuntu?
To mitigate CVE-2023-45866 on Ubuntu, update the BlueZ package to version 5.37-0ubuntu5.3+ (for Ubuntu 18.04), version 5.48-0ubuntu3.9+ (for Ubuntu 20.04), version 5.53-0ubuntu3.7 (for Ubuntu 21.04), version 5.64-0ubuntu1.1 (for Ubuntu 23.10), or version 5.66-0ubuntu1.1 (for Ubuntu 24.04).
Where can I find more information about CVE-2023-45866?
You can find more information about CVE-2023-45866 in the Android Security Bulletin for December 2023, the GitHub repository 'skysafe/reblog', and the MITRE CVE database.
- collector/debian-bugs
- alias/CVE-2023-45866
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/launchpad-cve
- source/Launchpad
- agent/software-canonical-lookup-request
- agent/author
- agent/weakness
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- agent/softwarecombine
- collector/apple-support
- source/Apple
- collector/android-source
- source/Android
- agent/last-modified-date
- agent/references
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/debian
- vendor/apple
- canonical/apple ios
- canonical/apple macos
- vendor/android
- canonical/android android
- version/android android/4.2.2-10
- vendor/linux
- canonical/linux linux
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/20.04
- version/ubuntu ubuntu/22.04
- version/ubuntu ubuntu/23.10
- package-manager/ubuntu
- vendor/google
- canonical/google android
- version/google android/4.2.2
- vendor/bluproducts
- canonical/bluproducts dash
- version/bluproducts dash/3.5
- version/google android/6.0.1
- canonical/google nexus 5
- version/google android/10.0
- version/google android/11.0
- canonical/google pixel 2
- version/google android/13.0
- canonical/google pixel 4a
- canonical/google pixel 6
- version/google android/14.0
- canonical/google pixel 7
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- version/canonical ubuntu linux/22.04
- version/canonical ubuntu linux/23.10
- canonical/apple iphone os
- version/apple iphone os/16.6
- canonical/apple iphone se
- version/apple macos/12.6.7
- canonical/apple macbook air
- version/apple macbook air/2017
- version/apple macos/13.3.3
- canonical/apple macbook pro
- version/apple macbook pro/m2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- version/fedoraproject fedora/39
- canonical/apple ipad os
- version/apple macos/14.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- canonical/apple macos sonoma
- canonical/apple ipados