CVE-2023-45866: Unauthenticated Bluetooth HID Connections and Possible Injection of HID Messages in BlueZ

A potentially severe security vulnerability, assigned the identifier CVE-2023-45866, has been discovered affecting Bluetooth HID Hosts in BlueZ. This vulnerability allows an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, as well as accept HID keyboard reports. This leaves the system susceptible to unauthorized access and possibly injection of HID messages with no user interaction to grant such permission. The BlueZ package version 5.64-ubuntu1 in Ubuntu 22.04 LTS is one known affected package. However, it is important to note that the CVE-202-0556 mitigation may have already addressed this issue for some users.

Code Snippet

The vulnerability stems from the insecure implementation of the Bluetooth HID host profile in BlueZ. A snippet of the code demonstrating the issue can be found below:

// Insecure initialization of HID Host profile
static void hid_host_profile_connected(struct hid_device *device)
{
    ...
    device->conn_state = HID_CONN_STATE_CONNECTED;
    set_device_encryption(device);
    ...
}

// Function to set up encryption
static void set_device_encryption(struct hid_device *device)
{
    ...
    if (!device->authenticated)
    {
        device->authenticated = true;
        establish_encrypted_connection(device);
    }
    ...
}

Links to Original References

1. BlueZ Official Website
2. CVE-2023-45866 Vulnerability Details
3. CVE-202-0556 Vulnerability Details

Exploit Details

An attacker can exploit this vulnerability by using a Bluetooth device in Peripheral role to initiate a connection with the vulnerable HID host. Since there is no mechanism to require user interaction or authentication, the attacker can successfully connect to the target system. Once connected, the attacker can send HID keyboard reports to inject unauthorized input, potentially compromising or controlling the system.

Mitigations

- If you are using a version of BlueZ that is vulnerable to CVE-2023-45866, update to the latest version which has addressed this issue. Check with your distribution's package manager for the latest stable release.
- For some users, the CVE-202-0556 mitigation may have already addressed this vulnerability. Verify if this mitigation has been applied to your system.
- Implement user authorization or interaction mechanisms in the Ccentral role on HID connections to prevent unauthorized access.
- Limit the range of your Bluetooth device or disable Bluetooth when not in use to minimize the risk of an unauthorized connection.

Conclusion

CVE-2023-45866 poses a significant threat to systems using vulnerable versions of BlueZ as it allows unauthenticated connections and potential HID message injections. Updating to a secure version of BlueZ and implementing proper authorization mechanisms are crucial steps in mitigating the risk associated with this vulnerability. Additionally, users who have already applied the CVE-202-0556 mitigation may find themselves less susceptible to this issue.

Timeline

Published on: 12/08/2023 06:15:45 UTC
Last modified on: 12/14/2023 14:47:57 UTC