CVE-2023-45866: Input Validation

Published Dec 4, 2023
·
Updated

Accessibility. A privacy issue was addressed with improved private data redaction for log entries.

Credit

Marc Newlin(SkySafe), Mickey Jin@@patch1t, an anonymous researcher, Koh M. Nakagawa@@tsunek0h, CVE-2023-38545, CVE-2023-38039, CVE-2023-38546, Yann GASCUEL(Alter Solutions), Anthony Cruz Tyrant Corp@@App, Wojciech Regula(SecuRing), Zhenjiang Zhao(Pangu Team), Qianxin, Junsung Lee, Meysam Firouzi@@R00tkitSMM, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Pan ZhenPeng@@Peterpan0927(STAR Labs SG Pte), Eloi Benoist-Vanderbeken@@elvanderb(Synacktiv), CVE-2023-42893, CVE-2023-3618, CVE-2020-19185, CVE-2020-19186, CVE-2020-19187, CVE-2020-19188, CVE-2020-19189, CVE-2020-19190, Ron Masas(BreakPoint), Csaba Fitzl@@theevilbit(OffSec), Csaba Fitzl@@theevilbit(Offensive Security), Arsenii Kostromin (0x3c3e), Mattie Behrens, Joshua Jewett@@JoshJewett33, Zhongquan Li@@Guluisacat, Zhongquan Li@@Guluisacat(Dawn Security Lab of JingDong), CVE-2023-5344, Pwn2car, Zoom Offensive Security Team, Nan Wang@@eternalsakura13(360 Vulnerability Research Institute), rushikesh nandedkar, SungKwon Lee (Demon.Team), Noah Roskin-Frazee, Pr, Ivan Fratric(Google Project Zero), (Trend Micro Zero Day Initiative), Don Clarke, Kirin@@Pwnrin, Christopher Reynolds, Aymane Chabat, ARJUN S D, Andrew Goldberg(The McCombs School of Business), The University(Texas at Austin), Apple

Affected Software

49 affected componentsFixes available
debian/bluez<=5.55-3.1, <=5.66-1, <=5.70-1
5.70-1.1~exp05.70-1.15.66-1+deb12u15.55-3.1+deb11u1
ubuntu/bluez<5.37-0ubuntu5.3+
5.37-0ubuntu5.3+
ubuntu/bluez<5.48-0ubuntu3.9+
5.48-0ubuntu3.9+
ubuntu/bluez<5.53-0ubuntu3.7
5.53-0ubuntu3.7
ubuntu/bluez<5.64-0ubuntu1.1
5.64-0ubuntu1.1
ubuntu/bluez<5.66-0ubuntu1.1
5.66-0ubuntu1.1
ubuntu/bluez<5.68-0ubuntu1.1
5.68-0ubuntu1.1
debian/bluez<=5.50-1.2~deb10u2
5.50-1.2~deb10u45.55-3.1+deb11u15.66-1+deb12u15.71-1
Apple macOS Sonoma<14.2
14.2
Google Android
Apple iOS
Apple macOS
Android Android=4.2.2-10
Linux Linux
Ubuntu Ubuntu=18.04
Ubuntu Ubuntu=20.04
Ubuntu Ubuntu=22.04
Ubuntu Ubuntu=23.10
All of the following
Google Android=4.2.2
Bluproducts Dash=3.5
All of the following
Google Android=6.0.1
Google Nexus 5
All of the following
Any of the following
Google Android=10.0
Google Android=11.0
Google Pixel 2
All of the following
Google Android=13.0
Any of the following
Google Pixel 4a
Google Pixel 6
All of the following
Google Android=14.0
Google Pixel 7
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=20.04
Canonical Ubuntu Linux=22.04
Canonical Ubuntu Linux=23.10
All of the following
Apple iPhone OS=16.6
Apple Iphone Se
All of the following
Apple macOS=12.6.7
Apple Macbook Air=2017
All of the following
Apple macOS=13.3.3
Apple Macbook Pro=m2
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Apple Ipad Os<17.2
Apple iPhone OS<17.2
Apple macOS>=14.0<14.2
Debian Debian Linux=10.0
Apple iOS<17.2
17.2
Apple iPadOS<17.2
17.2
Apple iPadOS<17.2

Remediation

Mitigation

In `/etc/bluetooth/input.conf` set `ClassicBondedOnly=true` and then `systemctl restart bluetooth`. Setting `ClassicBondedOnly=false` will re-enable legacy device support (like the PS3 controller) and the vulnerability.

Patch Available

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

Event History

Dec 4, 2023
CVE Published
via Android·12:00 AM
News Published
07:37 PM
Dec 6, 2023
News Published
08:47 PM
Dec 7, 2023
Data Sourced
via Red Hat·05:02 AM
DescriptionSeverityAffected Software
Dec 8, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·06:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Dec 11, 2023
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
Jan 12, 2024
Data Sourced
via Launchpad·05:19 AM
Description
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2023-45866?

CVE-2023-45866 is a vulnerability in the HID Profile of multiple Bluetooth host stacks that allows connections without MITM protection and user confirmation.

2

Which software products are affected by CVE-2023-45866?

CVE-2023-45866 affects Google Android, Apple iOS, Apple macOS, Android 4.2.2-10, Linux, and various versions of Ubuntu with the BlueZ package.

3

What is the severity of CVE-2023-45866?

CVE-2023-45866 has a severity level of critical with a severity value of 9.

4

How can I mitigate CVE-2023-45866 on Ubuntu?

To mitigate CVE-2023-45866 on Ubuntu, update the BlueZ package to version 5.37-0ubuntu5.3+ (for Ubuntu 18.04), version 5.48-0ubuntu3.9+ (for Ubuntu 20.04), version 5.53-0ubuntu3.7 (for Ubuntu 21.04), version 5.64-0ubuntu1.1 (for Ubuntu 23.10), or version 5.66-0ubuntu1.1 (for Ubuntu 24.04).

5

Where can I find more information about CVE-2023-45866?

You can find more information about CVE-2023-45866 in the Android Security Bulletin for December 2023, the GitHub repository 'skysafe/reblog', and the MITRE CVE database.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203