ISN 2023-36: BlueZ Vulnerability

Updated 23 January 2024 (corrected OS 11 update)

Updated 16 January 2024 (added fixed versions)

First published 19 December 2023

CVSS 3.1: 8.8 (High)

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A security vulnerability has been discovered in the Bluetooth stack used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

It has been found that BlueZ does not properly restrict non-bonded devices from injecting Human Interface Device (HID) events into the input subsystem. This could allow a physically proximate attacker to inject keystrokes and mouse events – and execute arbitrary commands when the device is discoverable.

Mitigation

1. Use wired USB devices for keyboard and mouse.
2. Disable Bluetooth in Setup Devices > Bluetooth.

Update Instructions

• OS 12: Update to OS 12 base system app version 12.3.1 (planned to be released on 6 Feb 2024).
• OS 11: IGEL is preparing an OS 11 release with fixed Bluetooth.

References

• CVE-2023-45866: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45866