CVE-2023-2002: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2023-2002) was discovered in the HCI sockets implementation of the Linux Kernel's Bluetooth subsystem, specifically due to a missing capability check in net/bluetooth/hci_sock.c. The vulnerability was discovered by Ruihan Li and disclosed on April 16, 2023. This flaw affects Linux kernel versions prior to 6.4 and became exploitable after commit f81f5b2db869 (introduced in kernel v4.9) (Openwall OSS).

The vulnerability stems from an insufficient permission check in the Bluetooth subsystem when handling ioctl system calls of HCI sockets. The implementation only verifies the CAPNETADMIN capability of the calling task, not the socket opener. This allows tasks without proper CAPNETADMIN capability to mark HCI sockets as trusted, which enables sending and receiving of management commands and events. The exploitation requires only the presence of commonly used setuid programs (e.g., su, sudo) and can be triggered through ioctl calls for tty parameters on HCI sockets (Openwall OSS).

When successfully exploited, this vulnerability can compromise the confidentiality, integrity, and availability of Bluetooth communication. Attackers can exploit this vulnerability to pair the controller with malicious devices (even if Bluetooth service is disabled), prevent specific devices from being paired, or read sensitive information such as OOB data (Openwall OSS).

A patch has been developed that replaces capable() with skcapable(), which checks both the current task and the socket opener for the required capability. Additionally, another patch hardens the ioctl processing logic by checking command validity at the start of hcisock_ioctl(). As a workaround, if Bluetooth devices are not being used, they can be blocked using rfkill to prevent devices from being powered up, which will significantly reduce the vulnerability's impact (Openwall OSS).