Bug 1606203 (CVE-2018-10910) - CVE-2018-10910 bluez: failure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized pairing of Bluetooth devices
Summary: CVE-2018-10910 bluez: failure in disabling Bluetooth discoverability in certa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10910
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1606371 1606373 1609340
Blocks: 1594633
TreeView+ depends on / blocked
 
Reported: 2018-07-20 18:55 UTC by Scott Gayou
Modified: 2021-02-16 23:56 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication.
Clone Of:
Environment:
Last Closed: 2020-03-31 22:32:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1101 0 None None None 2020-03-31 19:22:39 UTC
Red Hat Product Errata RHSA-2020:1912 0 None None None 2020-04-28 16:06:18 UTC

Description Scott Gayou 2018-07-20 18:55:53 UTC
A bug in bluez prevents the disabling of Bluetooth discoverability. In certain situations, this flaw could potentially lead to the unauthorized pairing of Bluetooth devices.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1602985

Comment 1 Scott Gayou 2018-07-20 19:39:13 UTC
Upstream workaround in gnome-bluetooth: https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89

Note that the actual bug is not in gnome-bluetooth.

RHEL is not affected as RHEL-7 is running Gnome 3.26, which is not impacted.

Comment 2 Scott Gayou 2018-07-20 19:41:02 UTC
Created bluez tracking bugs for this issue:

Affects: fedora-all [bug 1606371]

Comment 5 Scott Gayou 2018-07-24 15:58:02 UTC
Acknowledgments:

Name: Chris Marchesi

Comment 8 Scott Gayou 2018-07-30 14:48:54 UTC
Mitigation:

Disable Bluetooth.

Comment 9 Scott Gayou 2018-08-09 18:14:10 UTC
It appears that a fix was merged upstream and may be available in a future release of BlueZ 5.51. gnome-bluetooth-3.28.2 will take advantage of this fix.

Comment 10 errata-xmlrpc 2020-03-31 19:22:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1101 https://access.redhat.com/errata/RHSA-2020:1101

Comment 11 Product Security DevOps Team 2020-03-31 22:32:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-10910

Comment 12 errata-xmlrpc 2020-04-28 16:06:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1912 https://access.redhat.com/errata/RHSA-2020:1912


Note You need to log in before you can comment on or make changes to this bug.