Sources

https://www.tenable.com/cve/CVE-2023-45866

Risks

A critical vulnerability was discovered affecting Bluetooth in macOS, iOS, Android and Linux. It has severe impact on confidentiality, integrity, and availability.

Apple released patches for iOS, iPadOS and macOS. The vulnerability can only be exploited if an Apple Magic keyboard is paired via Bluetooth. Lockdown mode, an optional protection setting in Apple products, claiming to protect against highly sophisticated digital threats, is affected by CVE-2023-45866.

Android patches for OS versions 11 through 14 have been released and sent to the manufacturers of smartphones and tablets based on the Android OS. The only requirement for Android devices to be affected by tCVE-2023-45866 is to have Bluetooth enabled.

Linux Bluetooth stack “BlueZ”, included in the official Linux kernel, has a patch available. The requirement for a Linux device using the “BlueZ” Bluetooth stack to be vulnerable, is to be discoverable and connectable through Bluetooth.

CVE-2023-45866 is not reported to be exploited in the wild at the time of writing. Exploitation nonetheless is highly likely once more information about the vulnerability is released including proof-of-concept scripts.

Recommended Actions

The Centre for Cyber security Belgium strongly recommends updating all affected devices to the latest available software version.
For Android devices: disabling Bluetooth when not in use, is advised until vendor patches become available.

References

https://github.com/skysafe/reblog/tree/main/cve-2023-45866
https://www.tenable.com/cve/CVE-2023-45866
https://support.apple.com/en-us/HT214036
https://support.apple.com/en-us/HT214035