阿里云漏洞库

漏洞描述

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://changelogs.ubuntu.com/changelogs/pool/main/b/bluez/bluez_5.64-0ubuntu1...
http://seclists.org/fulldisclosure/2023/Dec/7
http://seclists.org/fulldisclosure/2023/Dec/9
https://bluetooth.com
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=2...
https://github.com/skysafe/reblog/tree/main/cve-2023-45866
https://lists.debian.org/debian-lts-announce/2023/12/msg00011.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202401-03
https://support.apple.com/kb/HT214035
https://support.apple.com/kb/HT214036
https://www.debian.org/security/2023/dsa-5584

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	amazon_2	bluez	*		Up to (excluding) 5.44-7.amzn2.0.4
	运行在以下环境
	系统	amazon_2023	bluez	*		Up to (excluding) 5.62-2.amzn2023.0.5
	运行在以下环境
	系统	anolis_os_23	bluez	*		Up to (excluding) 5.71-1
	运行在以下环境
	系统	apple	ipad_os	*		Up to (excluding) 17.2
	运行在以下环境
	系统	apple	iphone_os	*		Up to (excluding) 17.2
	运行在以下环境
	系统	apple	iphone_os	16.6	-
	运行在以下环境
	系统	apple	macos	*	From (including) 14.0	Up to (excluding) 14.2
	运行在以下环境
	系统	apple	macos	12.6.7	-
	运行在以下环境
	系统	apple	macos	13.3.3	-
	运行在以下环境
	系统	canonical	ubuntu_linux	18.04	-
	运行在以下环境
	系统	canonical	ubuntu_linux	20.04	-
	运行在以下环境
	系统	canonical	ubuntu_linux	22.04	-
	运行在以下环境
	系统	canonical	ubuntu_linux	23.10	-
	运行在以下环境
	系统	debian_10	bluez	*		Up to (excluding) 5.50-1.2~deb10u4
	运行在以下环境
	系统	debian_11	bluez	*		Up to (excluding) 5.55-3.1+deb11u1
	运行在以下环境
	系统	debian_12	bluez	*		Up to (excluding) 5.66-1+deb12u1
	运行在以下环境
	系统	fedoraproject	fedora	38	-
	运行在以下环境
	系统	fedoraproject	fedora	39	-
	运行在以下环境
	系统	fedora_38	bluez	*		Up to (excluding) 5.70-5.fc38
	运行在以下环境
	系统	fedora_39	bluez	*		Up to (excluding) 5.70-5.fc39
	运行在以下环境
	系统	google	android	10.0	-
	运行在以下环境
	系统	google	android	11.0	-
	运行在以下环境
	系统	google	android	13.0	-
	运行在以下环境
	系统	google	android	14.0	-
	运行在以下环境
	系统	google	android	4.2.2	-
	运行在以下环境
	系统	google	android	6.0.1	-
	运行在以下环境
	系统	kylinos_aarch64_V10	bluez	*		Up to (excluding) 5.54-18.ky10h
	运行在以下环境
	系统	kylinos_aarch64_V10HPC	bluez	*		Up to (excluding) 5.54-18.ky10h
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	bluez	*		Up to (excluding) 5.54-13.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP3	bluez	*		Up to (excluding) 5.54-13.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP32309a	bluez	*		Up to (excluding) 5.54-18.ky10h
	运行在以下环境
系统	kylinos_aarch64_V10SP32309b	bluez	*		Up to (excluding) 5.54-13.ky10
运行在以下环境
系统	kylinos_loongarch64_V10SP1	bluez	*		Up to (excluding) 5.54-13.p01.a.ky10
运行在以下环境
系统	kylinos_x86_64_V10	bluez	*		Up to (excluding) 5.54-13.ky10
运行在以下环境
系统	kylinos_x86_64_V10HPC	bluez	*		Up to (excluding) 5.54-18.ky10h
运行在以下环境
系统	kylinos_x86_64_V10SP2	bluez	*		Up to (excluding) 5.54-13.ky10
运行在以下环境
系统	kylinos_x86_64_V10SP3	bluez	*		Up to (excluding) 5.54-13.ky10
运行在以下环境
系统	ubuntu_20.04	bluez	*		Up to (excluding) 5.53-0ubuntu3.7
运行在以下环境
系统	ubuntu_22.04	bluez	*		Up to (excluding) 5.64-0ubuntu1.1
运行在以下环境
硬件	apple	iphone_se	-	-
运行在以下环境
硬件	apple	macbook_air	2017	-
运行在以下环境
硬件	apple	macbook_pro	m2	-
运行在以下环境
硬件	bluproducts	dash	3.5	-
运行在以下环境
硬件	google	nexus_5	-	-
运行在以下环境
硬件	google	pixel_2	-	-
运行在以下环境
硬件	google	pixel_4a	-	-
运行在以下环境
硬件	google	pixel_6	-	-
运行在以下环境
硬件	google	pixel_7	-	-

攻击路径

远程
攻击复杂度

复杂
权限要求

普通权限
影响范围

全局影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-287	认证机制不恰当

中危 bluez-libs-debuginfo 安全漏洞 (CVE-2023-45866)

漏洞描述

解决建议

参考链接

受影响软件情况