CVE-2023-2002: RCE flaw in the BT subsystem of the Linux

A security vulnerability dubbed CVE-2023-2002 has been identified within the Linux kernel, posing a significant risk to systems that utilize Bluetooth communication. This exploit allows remote authenticated attackers to execute arbitrary commands on the affected system by taking advantage of an improper permission check in the Bluetooth subsystem.

Unraveling the Exploit

The vulnerability stems from an insufficient permission check in the Bluetooth subsystem of the Linux kernel when handling ioctl system calls of HCI sockets. This oversight enables tasks without the necessary CAP_NET_ADMIN capability to mark HCI sockets as trusted, which in turn permits unauthorized execution of management commands. The exploit requires only the presence of a set of commonly used setuid programs (e.g., su, sudo).

An attacker can exploit this vulnerability by sending a specially crafted request to the target system, thereby allowing them to execute arbitrary management commands. A proof-of-concept (PoC) exploit capable of changing the power state of Bluetooth devices has been made available on GitHub.

The Impact

Successful exploitation of CVE-2023-2002 can compromise the confidentiality, integrity, and availability of Bluetooth communication on the targeted system. Attackers can pair the controller with malicious devices even if the Bluetooth service is disabled or not installed. They can also prevent specific devices from being paired or accessing sensitive information, such as OOB data.

Affected Systems

The vulnerability has been present in the Linux kernel since version 4.9 and becomes exploitable after the commit f81f5b2db869. Exploitation is dependent on the existence of setuid programs (or more precisely, programs with the CAP_NET_ADMIN capability) that invoke ioctl calls on stdin, stdout, or stderr. Notably, Android devices are unlikely to be affected due to the absence of setuid programs and applications with the CAP_NET_ADMIN capability.

Mitigation Strategies

A patch addressing this vulnerability has been submitted to the linux-bluetooth mailing list. The patch replaces the capable() function with sk_capable(), which checks the socket opener’s capabilities in addition to the current task. Another proposed patch aims to harden the ioctl processing logic.

As a temporary workaround, users can block Bluetooth devices using rfkill, preventing them from being powered up and significantly reducing the vulnerability’s impact.

To avoid similar vulnerabilities in the future, the Linux kernel and userspace setuid programs should be hardened. For instance, adding more capability checks in the Linux kernel can be considered, while privileged setuid programs should treat inherited file descriptors as untrusted and drop privileges when invoking system calls on them.

Protect your system

CVE-2023-2002 is a critical security vulnerability that exposes Linux systems with Bluetooth communication to potential attacks. Users are urged to apply the available patches and implement recommended mitigation strategies to safeguard their systems against exploitation. Developers should also focus on hardening the Linux kernel and setuid programs to prevent similar vulnerabilities in the future.