First published: Mon Dec 04 2023(Updated: )
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
Credit: Marc Newlin SkySafeMarc Newlin SkySafe cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/bluez | <=5.55-3.1<=5.66-1<=5.70-1 | 5.70-1.1~exp0 5.70-1.1 5.66-1+deb12u1 5.55-3.1+deb11u1 |
Apple iOS | ||
Apple macOS | ||
Android Android | =4.2.2-10 | |
Linux Linux | ||
Ubuntu Ubuntu | =18.04 | |
Ubuntu Ubuntu | =20.04 | |
Ubuntu Ubuntu | =22.04 | |
Ubuntu Ubuntu | =23.10 | |
ubuntu/bluez | <5.37-0ubuntu5.3+ | 5.37-0ubuntu5.3+ |
ubuntu/bluez | <5.48-0ubuntu3.9+ | 5.48-0ubuntu3.9+ |
ubuntu/bluez | <5.53-0ubuntu3.7 | 5.53-0ubuntu3.7 |
ubuntu/bluez | <5.64-0ubuntu1.1 | 5.64-0ubuntu1.1 |
ubuntu/bluez | <5.66-0ubuntu1.1 | 5.66-0ubuntu1.1 |
ubuntu/bluez | <5.68-0ubuntu1.1 | 5.68-0ubuntu1.1 |
debian/bluez | <=5.50-1.2~deb10u2 | 5.50-1.2~deb10u4 5.55-3.1+deb11u1 5.66-1+deb12u1 5.71-1 |
All of | ||
Google Android | =4.2.2 | |
Bluproducts Dash | =3.5 | |
All of | ||
Google Android | =6.0.1 | |
Google Nexus 5 | ||
All of | ||
Any of | ||
Google Android | =10.0 | |
Google Android | =11.0 | |
Google Pixel 2 | ||
All of | ||
Google Android | =13.0 | |
Any of | ||
Google Pixel 4a | ||
Google Pixel 6 | ||
All of | ||
Google Android | =14.0 | |
Google Pixel 7 | ||
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =20.04 | |
Canonical Ubuntu Linux | =22.04 | |
Canonical Ubuntu Linux | =23.10 | |
All of | ||
Apple iPhone OS | =16.6 | |
Apple Iphone Se | ||
All of | ||
Apple macOS | =12.6.7 | |
Apple Macbook Air | =2017 | |
All of | ||
Apple macOS | =13.3.3 | |
Apple Macbook Pro | =m2 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
Apple Ipad Os | <17.2 | |
Apple iPhone OS | <17.2 | |
Apple macOS | >=14.0<14.2 | |
Debian Debian Linux | =10.0 | |
Apple macOS Sonoma | <14.2 | 14.2 |
Apple iOS | <17.2 | 17.2 |
Apple iPadOS | <17.2 | 17.2 |
Google Android | ||
Apple iPadOS | <17.2 |
In `/etc/bluetooth/input.conf` set `ClassicBondedOnly=true` and then `systemctl restart bluetooth`. Setting `ClassicBondedOnly=false` will re-enable legacy device support (like the PS3 controller) and the vulnerability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2023-45866 is a vulnerability in the HID Profile of multiple Bluetooth host stacks that allows connections without MITM protection and user confirmation.
CVE-2023-45866 affects Google Android, Apple iOS, Apple macOS, Android 4.2.2-10, Linux, and various versions of Ubuntu with the BlueZ package.
CVE-2023-45866 has a severity level of critical with a severity value of 9.
To mitigate CVE-2023-45866 on Ubuntu, update the BlueZ package to version 5.37-0ubuntu5.3+ (for Ubuntu 18.04), version 5.48-0ubuntu3.9+ (for Ubuntu 20.04), version 5.53-0ubuntu3.7 (for Ubuntu 21.04), version 5.64-0ubuntu1.1 (for Ubuntu 23.10), or version 5.66-0ubuntu1.1 (for Ubuntu 24.04).
You can find more information about CVE-2023-45866 in the Android Security Bulletin for December 2023, the GitHub repository 'skysafe/reblog', and the MITRE CVE database.