Bug 2187308 (CVE-2023-2002)

Summary: CVE-2023-2002 Kernel: bluetooth: Unauthorized management command execution
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, swood, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.4-rc1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2196341, 2196346, 2196347, 2196348, 2196349, 2196352, 2196353, 2196354, 2196355, 2196358, 2196359, 2196361, 2196362, 2196363, 2196364, 2196365, 2196337, 2196338, 2196339, 2196340, 2196342, 2196343, 2196344, 2196345, 2196350, 2196356, 2196357    
Bug Blocks: 2186243    

Description Rohit Keshri 2023-04-17 12:23:47 UTC 
An insufficient permission check has been found in the Bluetooth subsystem of
the Linux kernel when handling ioctl system calls of HCI sockets. This causes
tasks without the proper CAP_NET_ADMIN capability can easily mark HCI sockets
as _trusted_. Trusted sockets are intended to enable the sending and receiving
of management commands and events, such as pairing or connecting with a new
device.  As a result, unprivileged users can acquire a trusted socket, leading
to unauthorized execution of management commands. The exploit requires only
the presence of a set of commonly used setuid programs (e.g., su, sudo).

Reference:
https://www.openwall.com/lists/oss-security/2023/04/16/3
Comment 5 errata-xmlrpc 2023-06-21 14:38:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3708 https://access.redhat.com/errata/RHSA-2023:3708
Comment 6 errata-xmlrpc 2023-06-21 14:39:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3723 https://access.redhat.com/errata/RHSA-2023:3723
Comment 8 errata-xmlrpc 2023-07-18 08:28:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4137 https://access.redhat.com/errata/RHSA-2023:4137
Comment 9 errata-xmlrpc 2023-07-18 08:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4138 https://access.redhat.com/errata/RHSA-2023:4138