Permissions, Privileges, and Access Controls in BlueZ - CVE-2018-10910
Published: December 2, 2019
Vulnerability identifier: #VU23113
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10910
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: BlueZ Project
Affected software:
BlueZ
BlueZ
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in BlueZ due to an error that may allow an attacker to turn on the Bluetooth Discoverable state, when no Bluetooth agent is registered with the system. A remote attacker with physical proximity to the device can remotely turn on Bluetooth agent and access the device without authorization in some cases.
How to mitigate CVE-2018-10910
Install updates from vendor's website.