Bug 2253391 (CVE-2023-45866)

Summary: CVE-2023-45866 bluez: unauthorized HID device connections allows keystroke injection and arbitrary commands execution
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the HID Profile in BlueZ that opens doors for unauthorized connections, especially by devices like keyboards, to inject keystrokes without user confirmation. BlueZ lacks proper restrictions on non-bonded devices, creating a risk for attackers that are physically close to inject keystrokes and execute arbitrary commands when the device is in a discoverable state.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2253392    
Bug Blocks: 2253393    

Description TEJ RATHI 2023-12-07 05:02:07 UTC 
The HID Profile in multiple Bluetooth host stacks may accept connections with the HID control and HID interrupt channels of the HID Host role without MITM protection/mitigation and without user confirmation on the Central role device. This can permit a device like a keyboard (or emulating a keyboard) to successfully connect to a discoverable device without confirmation and permit keystroke injection.

Patch: 
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
Comment 1 TEJ RATHI 2023-12-07 05:02:27 UTC 
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 2253392]
Comment 3 errata-xmlrpc 2024-11-12 10:45:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9413 https://access.redhat.com/errata/RHSA-2024:9413
Comment 4 errata-xmlrpc 2024-12-17 18:57:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:11154 https://access.redhat.com/errata/RHSA-2024:11154