CVE-2023-45866 is a security vulnerability identified in the BlueZ Bluetooth stack, which is the official Linux Bluetooth protocol stack widely used in many Linux distributions, including Ubuntu 22.04 LTS. The vulnerability specifically targets Bluetooth Human Interface Device (HID) Hosts. It allows an unauthenticated peripheral device acting as an HID keyboard to initiate and establish an encrypted Bluetooth connection with the central device (the host) without requiring any user interaction or explicit authorization. Once connected, the malicious peripheral can inject arbitrary HID keyboard reports, effectively simulating keystrokes on the host system. This unauthorized input injection can lead to various attack scenarios, including command execution, privilege escalation, or data exfiltration, depending on the victim system's configuration and security posture. The affected BlueZ version example is 5.64-0ubuntu1, but other versions may also be vulnerable. The vulnerability is notable because it bypasses the normal user consent or authentication mechanisms typically required for Bluetooth HID connections. Some mitigations from a previous vulnerability, CVE-2020-0556, may partially address this issue if already applied. However, the new vulnerability remains a significant risk due to the lack of user interaction requirement and the ability to inject input at the HID level. No public exploits have been reported yet, but the potential impact warrants urgent attention. The vulnerability affects the confidentiality and integrity of affected systems by allowing unauthorized input injection, which can compromise system control and data security.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux-based systems with Bluetooth HID devices, such as keyboards and mice. The ability for an unauthenticated device to inject keystrokes can lead to unauthorized command execution, installation of malware, or data theft without user awareness. Critical infrastructure, government agencies, and enterprises using Ubuntu 22.04 LTS or similar Linux distributions with BlueZ 5.64 or vulnerable versions are particularly at risk. The attack does not require user interaction, increasing the likelihood of stealthy exploitation. This could disrupt operations, compromise sensitive data, and lead to broader network infiltration if attackers leverage injected commands to pivot internally. The impact extends to any Bluetooth-enabled device running the vulnerable BlueZ stack, including IoT devices and embedded systems used in industrial environments. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the potential severity if exploited. Organizations with strict compliance requirements around data integrity and confidentiality must prioritize mitigation to avoid regulatory and reputational damage.

1. Immediately update BlueZ to the latest patched version provided by your Linux distribution vendor, ensuring the vulnerability is addressed. 2. If updates are not immediately available, consider disabling Bluetooth HID profiles or Bluetooth functionality entirely on systems where it is not required. 3. Enforce strict Bluetooth device pairing policies, including manual authorization and user confirmation for all new HID device connections. 4. Implement endpoint security solutions capable of detecting anomalous HID input patterns that may indicate injection attacks. 5. Regularly audit Bluetooth device connections and logs to identify unauthorized or suspicious devices. 6. For critical systems, consider network segmentation to isolate Bluetooth-enabled devices from sensitive network segments. 7. Educate users about the risks of unauthorized Bluetooth devices and encourage reporting of unexpected device behavior. 8. Monitor vendor advisories and CVE databases for updates or exploit reports related to this vulnerability. 9. Apply mitigations from CVE-2020-0556 if not already in place, as they may reduce exposure. 10. Consider disabling automatic Bluetooth device trust or pairing features that bypass user interaction.