CVE-2023-45866

Published Dec 8, 2023

Last updated 3 months ago

CVSS medium 6.3

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2023-45866 is an improper authentication vulnerability in the Bluetooth protocol, specifically impacting Bluetooth HID (Human Interface Device) hosts. This vulnerability allows an unauthenticated peripheral HID device, such as a keyboard or mouse, to establish an encrypted connection and potentially inject HID messages without user interaction. Affected systems include those running BlueZ, a Linux Bluetooth stack, notably impacting Ubuntu 22.04LTS with the bluez 5.64-0ubuntu1 package. The vulnerability also affects Android, iOS, macOS, and Linux-based smart TVs with Bluetooth interfaces. Exploitation of this vulnerability could allow attackers to inject keystrokes, potentially leading to data theft or execution of malicious actions on the targeted device. Fixes for this vulnerability have been released in various software updates, including iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2. It's crucial to keep software updated to mitigate the risk posed by CVE-2023-45866. The vulnerability highlights the importance of secure Bluetooth implementations and the need for regular updates to address emerging security flaws.

Description
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
Source
cve@mitre.org
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
6.3
Impact score
3.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-287

Social media

Hype score
Not currently trending

  1. BlueDucky CVE-2023-45866 تنفيذ (باستخدام DuckyScript) 🔓 اقتران غير مصدق يؤدي إلى تنفيذ التعليمات البرمجية (باستخدام لوحة مفاتيح HID) https://t.co/GNxp2RKZop https://t.co/SRyDFP8Psm

    @TareqALhazzaa

    2 Mar 2025

    1405 Impressions

    3 Retweets

    35 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  2. Unpatched Bluetooth Devices are vulnerable to zero-click keystroke injection attacks in Linux, MacOS, Android, and Windows using CVE-2023-45866 Learn how to use this attack and protect yourself these type of attacks at our upcoming Bluetooth Hacking class January 28-30.… https:/

    @three_cube

    14 Jan 2025

    474 Impressions

    2 Retweets

    14 Likes

    6 Bookmarks

    1 Reply

    0 Quotes

  3. #BlueDucky is still a relevant tool to scan and identify vulnerable #Bluetooth devices to 0-click attack (CVE-2023-45866). Don't postpone updates of your smart gadgets in 2025 Post Credit: Lukas Stefanko #infosec #hacking #hacker #cyberseurity #bugbounty #bugbountytips https:/

    @viehgroup

    8 Jan 2025

    114 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2024-43405 2 - CVE-2023-45866 3 - CVE-2024-49112 4 - CVE-2024-49113 5 - CVE-2024-4367 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    5 Jan 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 📱 BlueDucky (https://t.co/phr4mpbvw9) is still a relevant tool to scan and identify vulnerable #Bluetooth devices (CVE-2023-45866). 🖥 Website: 🔗 Link (https://t.co/niRUEtYwbG) https://t.co/phr4mpbvw9 #NetHunter #InfoSec #CyberSecurity #Hacking

    @HackingTeam777

    4 Jan 2025

    275 Impressions

    1 Retweet

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  6. GitHub - pentestfunctions/BlueDucky: 🚨 CVE-2023-45866 - BlueDucky Implementation (Using DuckyScript) Unauthenticated Peering Leading to Code Execution (Using HID Keyboard) https://t.co/IchNb1z5Zt

    @akaclandestine

    4 Jan 2025

    1577 Impressions

    4 Retweets

    19 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  7. 📱 BlueDucky is still a relevant tool to scan and identify vulnerable #Bluetooth devices (CVE-2023-45866). Don't postpone updates of your devices in 2025⚠️ 🖥 Website: 🔗 Link https://t.co/phr4mpbvw9 #NetHunter #InfoSec #CyberSecurity #Hacking

    @HackingTeam777

    4 Jan 2025

    1473 Impressions

    14 Retweets

    61 Likes

    23 Bookmarks

    0 Replies

    0 Quotes

  8. BlueDucky is a powerful tool for exploiting a vulnerability in Bluetooth devices. (CVE-2023-45866) https://t.co/5u7QiGJdbj #Vulnerability #Bluetooth #Hacking #Pentest https://t.co/NJV09aJaUX

    @hackingspace

    3 Jan 2025

    363 Impressions

    4 Retweets

    6 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  9. #BlueDucky is still a relevant tool to scan and identify vulnerable #Bluetooth devices (CVE-2023-45866). Don't postpone updates of your devices in 2025 https://t.co/B1jkbNdaNY #NetHunter https://t.co/sZ5pDFAQr3

    @androidmalware2

    3 Jan 2025

    30113 Impressions

    147 Retweets

    840 Likes

    498 Bookmarks

    3 Replies

    5 Quotes

  10. Discovered 600+ #Bluetooth devices at the airport. Wonder how many of them are patched against Bluetooth pairing vulnerability that leads to 0-click RCE (CVE-2023-45866) #BlueDucky https://t.co/B1jkbNdaNY https://t.co/vLMbEVTdCx

    @androidmalware2

    14 Dec 2024

    10312 Impressions

    47 Retweets

    209 Likes

    97 Bookmarks

    4 Replies

    1 Quote

Configurations

References