CVE-2023-50230: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability
First published: Fri May 03 2024(Updated: )
BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20938.
Credit: zdi-disclosures@trendmicro.com zdi-disclosures@trendmicro.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bluez | <=5.55-3.1+deb11u1<=5.66-1+deb12u1 | 5.55-3.1+deb11u2 5.66-1+deb12u2 5.79-1 |
| BlueZ |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443
- https://www.zerodayinitiative.com/advisories/ZDI-23-1812/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278973
- https://access.redhat.com/errata/RHSA-2024:9413
- https://bugzilla.redhat.com/show_bug.cgi?id=2278972
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50230
- https://nvd.nist.gov/vuln/detail/CVE-2023-50230
- https://launchpad.net/bugs/cve/CVE-2023-50230
- https://security-tracker.debian.org/tracker/CVE-2023-50230
- https://ubuntu.com/security/CVE-2023-50230
Frequently Asked Questions
What is the severity of CVE-2023-50230?
CVE-2023-50230 has a high severity rating due to its potential for remote code execution.
How do I fix CVE-2023-50230?
To fix CVE-2023-50230, upgrade BlueZ to the latest versions 5.55-3.1+deb11u2, 5.66-1+deb12u2, or 5.79-1.
What type of vulnerability is CVE-2023-50230?
CVE-2023-50230 is a heap-based buffer overflow vulnerability.
Who is affected by CVE-2023-50230?
Users of affected versions of BlueZ, specifically versions up to 5.55-3.1+deb11u1 and 5.66-1+deb12u1, are at risk.
What exploit method is used for CVE-2023-50230?
CVE-2023-50230 requires user interaction for the exploitation process.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-50230
- agent/trending
- agent/references
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-23-1812
- alias/ZDI-CAN-20938
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/bluez
- canonical/bluez