| Name | CVE-2024-8805 |
| Description | BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the HID over GATT Profile. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25177. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| bluez (PTS) | jessie, jessie (lts) | 5.43-2+deb9u2~deb8u6 | vulnerable |
| linux (PTS) | jessie, jessie (lts) | 3.16.84-1 | vulnerable |
| stretch (security) | 4.9.320-2 | vulnerable |
| stretch (lts), stretch | 4.9.320-3 | vulnerable |
| buster (security), buster, buster (lts) | 4.19.316-1 | vulnerable |
| bullseye | 5.10.223-1 | vulnerable |
| bullseye (security) | 5.10.226-1 | vulnerable |
| bookworm | 6.1.115-1 | fixed |
| bookworm (security) | 6.1.119-1 | fixed |
| trixie | 6.12.5-1 | fixed |
| sid | 6.12.6-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| bluez | source | jessie | (unfixed) | end-of-life | | |
| linux | source | jessie | (unfixed) | end-of-life | | |
| linux | source | stretch | (unfixed) | end-of-life | | |
| linux | source | buster | (unfixed) | end-of-life | | |
| linux | source | bookworm | 6.1.115-1 | | | |
| linux | source | (unstable) | 6.11.4-1 | | | |
Notes
https://www.zerodayinitiative.com/advisories/ZDI-24-1229/
https://git.kernel.org/linus/b25e11f978b63cb7857890edb3a698599cddb10e (6.12-rc2)
CVE-2024-8805 likely to be rejected as Linux kernel CNA assigned later CVE-2024-53144
[buster] - bluez <postponed> (patch looks unrelated, not fixed in unstable, follow bullseye/bookworm)
[stretch] - bluez <postponed> (patch looks unrelated, not fixed in unstable, follow bullseye/bookworm)