Ubuntu
bluez package

  1. Bug #2045931
  2. Comment #6

Comment 6 for bug 2045931

Revision history for this message
Mark Esler (eslerm) wrote (last edit ):

Hello all o/

This is intentional. And easy to reverse.

The patch for CVE-2023-45866 works as intended and is not a regression.
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

If ClassicBondedOnly is not enforced, a nearby attacker can create a HID (like a keyboard and mouse) on the victims PC when bluetooth is discoverable. An HID can be used as a keylogger or, of course, give direct control of the session. The CVE reporter has discussed this further on https://github.com/skysafe/reblog/tree/main/cve-2023-45866 And a talk and PoC release is forthcoming.

Fortunately, it is easy to enable legacy devices by setting `ClassicBondedOnly=false` in `/etc/bluetooth/input.conf`, and then running `systemctl restart bluetooth`. I verified that a PS3 controller works well after this :)

The fix will be included in the next BlueZ release. All distros *should* be fixing this CVE. I would love it if bloggers in the Linux gaming sphere could raise awareness about this CVE and share how to enable legacy bluetooth device support.