Information disclosure in Apple Magic Keyboard Firmware
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-0230 |
| CWE-ID | CWE-312 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Magic Keyboard Firmware Hardware solutions / Firmware |
| Vendor |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU85311
Risk: Low
CVSSv3.1: 2.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0230
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to the way Bluetooth pairing key is stored on the device. An attacker with physical access to the accessory can extract its Bluetooth pairing key and monitor Bluetooth traffic.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagic Keyboard Firmware: before 2.0.6
External linkshttp://support.apple.com/en-us/HT214050
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
