BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19908.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-9413 advisory.

    [5.72-2]
    - Bump release to rebuild for RHEL-9.5

    [5.72-1]
    - Update to 5.72

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:9413 advisory.

    The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach,     hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.

    Security Fix(es):

    * bluez: unauthorized HID device connections allows keystroke injection and arbitrary commands execution     (CVE-2023-45866)

    * BlueZ: Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability     (CVE-2023-27349)

    * bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability     (CVE-2023-51596)

    * bluez: OBEX library out-of-bounds read information disclosure vulnerability (CVE-2023-51594)

    * bluez: audio profile avrcp parse_media_folder out-of-bounds read information disclosure vulnerability     (CVE-2023-51592)

    * bluez: audio profile avrcp parse_media_element out-of-bounds read information disclosure vulnerability     (CVE-2023-51589)

    * bluez: avrcp_parse_attribute_list out-of-bounds read information disclosure vulnerability     (CVE-2023-51580)

    * bluez: AVRCP stack-based buffer overflow remote code execution vulnerability (CVE-2023-44431)

    * bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability     (CVE-2023-50230)

    * bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability     (CVE-2023-50229)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.5 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3879 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3879-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     September 07, 2024                            https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : bluez     Version        : 5.55-3.1+deb11u2     CVE ID         : CVE-2021-3658 CVE-2021-41229 CVE-2021-43400 CVE-2022-0204                      CVE-2022-39176 CVE-2022-39177 CVE-2023-27349 CVE-2023-50229                      CVE-2023-50230     Debian Bug     : 991596 998626 1000262 1003712

    Multiple vulnerabilities have been fixed in bluez library, tools and     daemons for using Bluetooth devices.

    CVE-2021-3658

        adapter: Fix storing discoverable setting

    CVE-2021-41229

        Memory leak in the SDP protocol

    CVE-2021-43400

        Use-after-free on client disconnect

    CVE-2022-0204

        GATT heap overflow

    CVE-2022-39176

        Proximate attackers could obtain sensitive information

    CVE-2022-39177

        Proximate attackers could cause denial of service

    CVE-2023-27349

        AVRCP crash while handling unsupported events

    CVE-2023-50229

        Phone Book Access profile Heap-based Buffer Overflow

    CVE-2023-50230

        Phone Book Access profile Heap-based Buffer Overflow

    For Debian 11 bullseye, these problems have been fixed in version     5.55-3.1+deb11u2.

    We recommend that you upgrade your bluez packages.

    For the detailed security status of bluez please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/bluez

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the bluez package has been released.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6809-1 advisory.

    It was discovered that BlueZ could be made to dereference invalid memory. An attacker could possibly use     this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-3563)

    It was discovered that BlueZ could be made to write out of bounds. If a user were tricked into connecting     to a malicious device, an attacker could possibly use this issue to cause a denial of service or execute     arbitrary code. (CVE-2023-27349)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3820 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3820-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/              Arturo Borrero Gonzalez     May 25, 2024                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : bluez     Version        : 5.50-1.2~deb10u5     CVE ID         : CVE-2023-27349

    An problem has been fixed with the handling of the AVRCP protocol in the bluetooth     stack that could lead to remote code execution.

    For Debian 10 buster, this problem has been fixed in version     5.50-1.2~deb10u5.

    We recommend that you upgrade your bluez packages.

    For the detailed security status of bluez please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/bluez

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2605-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED12 / SLED_SAP12 / SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2562-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2545-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2546-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2533-1 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211539	Oracle Linux 9 : bluez (ELSA-2024-9413)	Nessus	Oracle Linux Local Security Checks	medium
210817	RHEL 9 : bluez (RHSA-2024:9413)	Nessus	Red Hat Local Security Checks	medium
206762	Debian dla-3879 : bluetooth - security update	Nessus	Debian Local Security Checks	critical
204461	Photon OS 5.0: Bluez PHSA-2023-5.0-0006	Nessus	PhotonOS Local Security Checks	high
203508	Photon OS 4.0: Bluez PHSA-2023-4.0-0392	Nessus	PhotonOS Local Security Checks	high
200132	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : BlueZ vulnerabilities (USN-6809-1)	Nessus	Ubuntu Local Security Checks	medium
197925	Debian dla-3820 : bluetooth - security update	Nessus	Debian Local Security Checks	high
196471	RHEL 6 : bluez (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
177555	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : bluez (SUSE-SU-2023:2605-1)	Nessus	SuSE Local Security Checks	high
177487	SUSE SLED12 / SLES12 Security Update : bluez (SUSE-SU-2023:2562-1)	Nessus	SuSE Local Security Checks	high
177446	SUSE SLES15 Security Update : bluez (SUSE-SU-2023:2545-1)	Nessus	SuSE Local Security Checks	high
177443	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : bluez (SUSE-SU-2023:2546-1)	Nessus	SuSE Local Security Checks	high
177436	SUSE SLES15 Security Update : bluez (SUSE-SU-2023:2533-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2023-27349

high

Tenable Plugins

medium

medium

critical

high

high

medium

high

high

high

high

high

high

high