CVE-2023-45866: 
NixOS vulnerability analysis and mitigation

CVE-2023-45866 is a vulnerability in Bluetooth HID Hosts within BlueZ that allows an unauthenticated Peripheral role HID Device to establish an encrypted connection and inject keystrokes without user authorization. The vulnerability was discovered by Marc Newlin of SkySafe and affects multiple operating systems including Android, Linux, macOS, and iOS. The issue was publicly disclosed in December 2023 (SkySafe Blog).

The vulnerability exploits a flaw in the Bluetooth host state-machine that allows pairing with a fake keyboard without user confirmation. The issue stems from BlueZ's HID profile implementation not being inline with the HID specification which mandates the use of Security Mode 4. The vulnerability has a CVSS v3.1 base score of 6.3 (Medium) with vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

An attacker within Bluetooth range can connect to vulnerable devices and inject keystrokes to perform arbitrary actions, such as installing apps, running commands, or forwarding messages. The attack is possible when Bluetooth is enabled on Android devices, when Linux/BlueZ systems are discoverable/connectable, or when iOS and macOS devices have a Magic Keyboard paired (SkySafe Blog).

The vulnerability has been patched in multiple systems: BlueZ has enabled the ClassicBondedOnly setting by default, Android has released security patches for versions 11-14 in the December 2023 update, Apple has fixed it in iOS 17.2 and macOS Sonoma 14.2, and various Linux distributions have released updates. For Linux systems, setting ClassicBondedOnly=true in /etc/bluetooth/input.conf and restarting the bluetooth service provides mitigation (Ubuntu Security, Apple Security).