www.belgium.be Logo of the federal government

Warning: Critical vulnerability CVE-2023-45866 in Bluetooth, Patch Immediately!

Reference: 
Advisory #2023-147
Version: 
1.0
Affected software: 
Bluetooth protocol implementations for (confirmed, but not limited to):
macOS (Monterey 12.6.7 (x86), Ventura 13.3.3 (ARM))
iOS (iOS 16.6)
Android (OS 4.2.2, 6.01, 10, 11, 13, 14)
Linux kernel with BlueZ (Ubuntu 18.04, 20.04, 22.04 and 23.10)
Type: 
Unauthenticated Bluetooth keystroke-injection, authentication bypass
CVE/CVSS: 

CVE-2023-45866: CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://www.tenable.com/cve/CVE-2023-45866

Risks

A critical vulnerability was discovered affecting Bluetooth in macOS, iOS, Android and Linux. It has severe impact on confidentiality, integrity, and availability.

Apple released patches for iOS, iPadOS and macOS. The vulnerability can only be exploited if an Apple Magic keyboard is paired via Bluetooth. Lockdown mode, an optional protection setting in Apple products, claiming to protect against highly sophisticated digital threats, is affected by CVE-2023-45866.

Android patches for OS versions 11 through 14 have been released and sent to the manufacturers of smartphones and tablets based on the Android OS. The only requirement for Android devices to be affected by tCVE-2023-45866 is to have Bluetooth enabled.

Linux Bluetooth stack “BlueZ”, included in the official Linux kernel, has a patch available. The requirement for a Linux device using the “BlueZ” Bluetooth stack to be vulnerable, is to be discoverable and connectable through Bluetooth.

CVE-2023-45866 is not reported to be exploited in the wild at the time of writing. Exploitation nonetheless is highly likely once more information about the vulnerability is released including proof-of-concept scripts.

Description

CVE-2023-45866 is a critical vulnerability that allows an unauthenticated attacker to inject keystrokes to a vulnerable device (e.g. install malicious apps, run arbitrary commands etc.). The attacker bypasses the need for user confirmation when connecting to the vulnerable device.

Recommended Actions

The Centre for Cyber security Belgium strongly recommends updating all affected devices to the latest available software version.
For Android devices: disabling Bluetooth when not in use, is advised until vendor patches become available.

References

https://github.com/skysafe/reblog/tree/main/cve-2023-45866
https://www.tenable.com/cve/CVE-2023-45866
https://support.apple.com/en-us/HT214036
https://support.apple.com/en-us/HT214035