CVE-2020-0556: 
NixOS vulnerability analysis and mitigation

CVE-2020-0556 is a security vulnerability discovered in BlueZ, affecting versions before 5.54. The vulnerability was disclosed on March 12, 2020, and involves improper access control in the BlueZ subsystem. The issue affects multiple Linux distributions including Ubuntu, Debian, and OpenSUSE that utilize the BlueZ Bluetooth protocol stack (NVD, Ubuntu Security).

The vulnerability stems from improper access control in BlueZ's HID (Human Interface Device) and HOGP (HID over GATT Profile) implementations, which did not specifically require bonding between the device and the host. The severity is rated as HIGH with a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). The vulnerability requires adjacent access for exploitation (NVD, Debian Security).

The vulnerability allows an unauthenticated user with adjacent access to potentially enable escalation of privilege and cause denial of service. Malicious devices can connect to a target host and impersonate an existing HID device without security, or cause SDP or GATT service discovery to take place, allowing HID reports to be injected to the input subsystem from a non-bonded source (Debian LTS, Gentoo Security).

The vulnerability was fixed in BlueZ version 5.54 by introducing a new configuration option called 'ClassicBondedOnly' for the HID profile. This option ensures that input connections only come from bonded device connections. The option defaults to 'false' to maximize device compatibility. Users are recommended to upgrade their BlueZ packages to version 5.54 or later (Debian Security, Gentoo Security).