Описание
Mitre: CVE-2023-24023 Bluetooth Vulnerability
Microsoft is aware of the Bluetooth Forward and Future Secrecy Attacks and Defenses (BLUFFS) vulnerability. For more information regarding the vulnerability, please see this statement from the Bluetooth SIG.
To address the vulnerability, Microsoft has released a software update that enforces the use of BR/EDR Secure Connections defined encryption and authentication algorithms for Bluetooth pairings that have used BR/EDR Secure Connections. If a paired device used BR/EDR Secure Connection at some point, Windows will enforce all subsequent BR/EDR connections to use BR/EDR Secure Connections.
As defined by the BR/EDR Secure Connections protocol, the new BR/EDR Secure Connections algorithms will only be used when the local system and the remote paired device both support BR/EDR Secure Connections. Connections between the local system and the remote paired device will remain vulnerable if either the local system or the remote paired device never declare support for BR/EDR Secure Connections during encryption or authentication..
Additionally, it is advised to increase the minimum encryption key size as described in Windows guidance for Bluetooth key length enforcement. Increasing the minimum encryption key size does not require support for BR/EDR Secure Connections.
FAQ
Why is the MITRE Corporation the assigning CNA (CVE Numbering Authority)?
CVE-2023-24023 is regarding a vulnerability reported to the Bluetooth Special Interest Group (Bluetooth SIG). MITRE assigned this CVE number on behalf of the Bluetooth organization https://www.bluetooth.com/about-us/vision/.
For more information, please see this statement from the Bluetooth SIG.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows 10 Version 1809 for 32-bit Systems | ||
| Windows 10 Version 1809 for x64-based Systems | ||
| Windows 10 Version 1809 for ARM64-based Systems | ||
| Windows Server 2019 | ||
| Windows Server 2019 (Server Core installation) | ||
| Windows Server 2022 | ||
| Windows Server 2022 (Server Core installation) | ||
| Windows 11 version 21H2 for x64-based Systems | ||
| Windows 11 version 21H2 for ARM64-based Systems | ||
| Windows 10 Version 21H2 for 32-bit Systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
Связанные уязвимости
Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.
Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.
Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.
Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connect ...
Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.
EPSS