Skip to main content
Skip table of contents

ISN 2023-36: BlueZ Vulnerability

Updated 23 January 2024 (corrected OS 11 update)

Updated 16 January 2024 (added fixed versions)

First published 19 December 2023

CVSS 3.1: 8.8 (High)

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A security vulnerability has been discovered in the Bluetooth stack used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12
  • IGEL OS 11

Details

It has been found that BlueZ does not properly restrict non-bonded devices from injecting Human Interface Device (HID) events into the input subsystem. This could allow a physically proximate attacker to inject keystrokes and mouse events – and execute arbitrary commands when the device is discoverable.

Mitigation

  1. Use wired USB devices for keyboard and mouse.
  2. Disable Bluetooth in Setup Devices > Bluetooth.

Update Instructions

  • OS 12: Update to OS 12 base system app version 12.3.1 (planned to be released on 6 Feb 2024).
  • OS 11: IGEL is preparing an OS 11 release with fixed Bluetooth.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close