Bug 2187308 (CVE-2023-2002) - CVE-2023-2002 Kernel: bluetooth: Unauthorized management command execution
Summary: CVE-2023-2002 Kernel: bluetooth: Unauthorized management command execution
Keywords:
Status: NEW
Alias: CVE-2023-2002
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2196337 2196338 2196339 2196340 2196341 2196342 2196343 2196344 2196345 2196346 2196347 2196348 2196349 2196350 2196352 2196353 2196354 2196355 2196356 2196357 2196358 2196359 2196361 2196362 2196363 2196364 2196365
Blocks: 2186243
TreeView+ depends on / blocked
 
Reported: 2023-04-17 12:23 UTC by Rohit Keshri
Modified: 2024-04-30 16:24 UTC (History)
44 users (show)

Fixed In Version: Kernel 6.4-rc1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5149 0 None None None 2023-09-14 05:20:37 UTC
Red Hat Product Errata RHBA-2023:5301 0 None None None 2023-09-19 18:56:16 UTC
Red Hat Product Errata RHBA-2023:5328 0 None None None 2023-09-21 11:17:33 UTC
Red Hat Product Errata RHBA-2023:5329 0 None None None 2023-09-21 12:27:47 UTC
Red Hat Product Errata RHBA-2023:5338 0 None None None 2023-09-25 01:13:40 UTC
Red Hat Product Errata RHBA-2023:5355 0 None None None 2023-09-26 10:24:49 UTC
Red Hat Product Errata RHBA-2024:2615 0 None None None 2024-04-30 16:24:08 UTC
Red Hat Product Errata RHSA-2023:3708 0 None None None 2023-06-21 14:38:27 UTC
Red Hat Product Errata RHSA-2023:3723 0 None None None 2023-06-21 14:39:12 UTC
Red Hat Product Errata RHSA-2023:4137 0 None None None 2023-07-18 08:28:41 UTC
Red Hat Product Errata RHSA-2023:4138 0 None None None 2023-07-18 08:28:50 UTC
Red Hat Product Errata RHSA-2023:4789 0 None None None 2023-08-29 08:44:05 UTC
Red Hat Product Errata RHSA-2023:4961 0 None None None 2023-09-05 08:58:46 UTC
Red Hat Product Errata RHSA-2023:4962 0 None None None 2023-09-05 09:06:35 UTC
Red Hat Product Errata RHSA-2023:5244 0 None None None 2023-09-19 14:35:14 UTC
Red Hat Product Errata RHSA-2023:5255 0 None None None 2023-09-19 14:02:20 UTC
Red Hat Product Errata RHSA-2024:1746 0 None None None 2024-04-10 08:05:11 UTC
Red Hat Product Errata RHSA-2024:2003 0 None None None 2024-04-23 15:43:02 UTC
Red Hat Product Errata RHSA-2024:2004 0 None None None 2024-04-23 16:38:56 UTC

Description Rohit Keshri 2023-04-17 12:23:47 UTC 
An insufficient permission check has been found in the Bluetooth subsystem of
the Linux kernel when handling ioctl system calls of HCI sockets. This causes
tasks without the proper CAP_NET_ADMIN capability can easily mark HCI sockets
as _trusted_. Trusted sockets are intended to enable the sending and receiving
of management commands and events, such as pairing or connecting with a new
device.  As a result, unprivileged users can acquire a trusted socket, leading
to unauthorized execution of management commands. The exploit requires only
the presence of a set of commonly used setuid programs (e.g., su, sudo).

Reference:
https://www.openwall.com/lists/oss-security/2023/04/16/3
Comment 5 errata-xmlrpc 2023-06-21 14:38:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3708 https://access.redhat.com/errata/RHSA-2023:3708
Comment 6 errata-xmlrpc 2023-06-21 14:39:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3723 https://access.redhat.com/errata/RHSA-2023:3723
Comment 8 errata-xmlrpc 2023-07-18 08:28:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4137 https://access.redhat.com/errata/RHSA-2023:4137
Comment 9 errata-xmlrpc 2023-07-18 08:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4138 https://access.redhat.com/errata/RHSA-2023:4138
Comment 11 errata-xmlrpc 2023-08-29 08:44:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4789 https://access.redhat.com/errata/RHSA-2023:4789
Comment 12 errata-xmlrpc 2023-09-05 08:58:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4961 https://access.redhat.com/errata/RHSA-2023:4961
Comment 13 errata-xmlrpc 2023-09-05 09:06:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4962 https://access.redhat.com/errata/RHSA-2023:4962
Comment 15 errata-xmlrpc 2023-09-19 14:02:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5255 https://access.redhat.com/errata/RHSA-2023:5255
Comment 16 errata-xmlrpc 2023-09-19 14:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5244 https://access.redhat.com/errata/RHSA-2023:5244
Comment 17 errata-xmlrpc 2024-04-10 08:05:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:1746 https://access.redhat.com/errata/RHSA-2024:1746
Comment 18 errata-xmlrpc 2024-04-23 15:42:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:2003 https://access.redhat.com/errata/RHSA-2024:2003
Comment 19 errata-xmlrpc 2024-04-23 16:38:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:2004 https://access.redhat.com/errata/RHSA-2024:2004
Note You need to log in before you can comment on or make changes to this bug.