ID CVE-2018-10910
Summary A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication. Versions before bluez 5.51 are vulnerable.
References
Vulnerable Configurations
  • cpe:2.3:a:bluez:bluez:5.41:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.41:*:*:*:*:*:*:*
  • cpe:2.3:a:bluez:bluez:5.42:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.42:*:*:*:*:*:*:*
  • cpe:2.3:a:bluez:bluez:5.45:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.45:*:*:*:*:*:*:*
  • cpe:2.3:a:bluez:bluez:5.46:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.46:*:*:*:*:*:*:*
  • cpe:2.3:a:bluez:bluez:5.47:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.47:*:*:*:*:*:*:*
  • cpe:2.3:a:bluez:bluez:5.48:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.48:*:*:*:*:*:*:*
  • cpe:2.3:a:bluez:bluez:5.49:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.49:*:*:*:*:*:*:*
  • cpe:2.3:a:bluez:bluez:5.50:*:*:*:*:*:*:*
    cpe:2.3:a:bluez:bluez:5.50:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
CVSS
Base: 2.1 (as of 09-10-2019 - 23:33)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1606203
    title CVE-2018-10910 bluez: failure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized pairing of Bluetooth devices
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment bluez is earlier than 0:5.44-6.el7
            oval oval:com.redhat.rhsa:tst:20201101001
          • comment bluez is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685002
        • AND
          • comment bluez-cups is earlier than 0:5.44-6.el7
            oval oval:com.redhat.rhsa:tst:20201101003
          • comment bluez-cups is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685008
        • AND
          • comment bluez-hid2hci is earlier than 0:5.44-6.el7
            oval oval:com.redhat.rhsa:tst:20201101005
          • comment bluez-hid2hci is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685019
        • AND
          • comment bluez-libs is earlier than 0:5.44-6.el7
            oval oval:com.redhat.rhsa:tst:20201101007
          • comment bluez-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685012
        • AND
          • comment bluez-libs-devel is earlier than 0:5.44-6.el7
            oval oval:com.redhat.rhsa:tst:20201101009
          • comment bluez-libs-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685014
    rhsa
    id RHSA-2020:1101
    released 2020-03-31
    severity Low
    title RHSA-2020:1101: bluez security update (Low)
  • bugzilla
    id 1606203
    title CVE-2018-10910 bluez: failure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized pairing of Bluetooth devices
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment bluez is earlier than 0:5.50-3.el8
            oval oval:com.redhat.rhsa:tst:20201912001
          • comment bluez is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685002
        • AND
          • comment bluez-cups is earlier than 0:5.50-3.el8
            oval oval:com.redhat.rhsa:tst:20201912003
          • comment bluez-cups is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685008
        • AND
          • comment bluez-debugsource is earlier than 0:5.50-3.el8
            oval oval:com.redhat.rhsa:tst:20201912005
          • comment bluez-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201912006
        • AND
          • comment bluez-hid2hci is earlier than 0:5.50-3.el8
            oval oval:com.redhat.rhsa:tst:20201912007
          • comment bluez-hid2hci is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685019
        • AND
          • comment bluez-libs is earlier than 0:5.50-3.el8
            oval oval:com.redhat.rhsa:tst:20201912009
          • comment bluez-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685012
        • AND
          • comment bluez-libs-devel is earlier than 0:5.50-3.el8
            oval oval:com.redhat.rhsa:tst:20201912011
          • comment bluez-libs-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20172685014
        • AND
          • comment bluez-obexd is earlier than 0:5.50-3.el8
            oval oval:com.redhat.rhsa:tst:20201912013
          • comment bluez-obexd is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201912014
    rhsa
    id RHSA-2020:1912
    released 2020-04-28
    severity Low
    title RHSA-2020:1912: bluez security update (Low)
rpms
  • bluez-0:5.44-6.el7
  • bluez-cups-0:5.44-6.el7
  • bluez-debuginfo-0:5.44-6.el7
  • bluez-hid2hci-0:5.44-6.el7
  • bluez-libs-0:5.44-6.el7
  • bluez-libs-devel-0:5.44-6.el7
  • bluez-0:5.50-3.el8
  • bluez-cups-0:5.50-3.el8
  • bluez-cups-debuginfo-0:5.50-3.el8
  • bluez-debuginfo-0:5.50-3.el8
  • bluez-debugsource-0:5.50-3.el8
  • bluez-hid2hci-0:5.50-3.el8
  • bluez-hid2hci-debuginfo-0:5.50-3.el8
  • bluez-libs-0:5.50-3.el8
  • bluez-libs-debuginfo-0:5.50-3.el8
  • bluez-libs-devel-0:5.50-3.el8
  • bluez-obexd-0:5.50-3.el8
  • bluez-obexd-debuginfo-0:5.50-3.el8
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10910
ubuntu USN-3856-1
Last major update 09-10-2019 - 23:33
Published 28-01-2019 - 15:29
Last modified 09-10-2019 - 23:33
Back to Top