The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Bluez: character injections via hidd

Synthesis of the vulnerability 

An attacker can inject keyboard or mouse events in hidd.
Vulnerable software: Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.
Severity of this announce: 2/4.
Creation date: 16/01/2007.
Références of this computer vulnerability: BID-22076, CVE-2006-6899, MDKSA-2007:014, RHSA-2007:0065-01, VIGILANCE-VUL-6469.

Description of the vulnerability 

The HID protocol is used by Bluetooth mouses and keyboards. The hidd daemon of the Bluez suite implements this protocol.

However, this implementation accepts new devices without authentication.

An attacker can thus simulate a second keyboard, which is accepted by system, and can send commands to shell.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Mandriva Linux, RHEL, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of radio connection.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat note.

Solutions for this threat 

Bluez: version 2.25.
Version 2.25 is corrected:
  http://www.bluez.org/

Mandriva: new bluez-utils packages.
New packages are available:
 
 Mandriva Linux 2006.0:
 3e4cef35413fb07be1bf17be76e82ab0 2006.0/i586/bluez-utils-2.19-7.1.20060mdk.i586.rpm
 71fe8899bacb7cf75482f3deced101c4 2006.0/i586/bluez-utils-cups-2.19-7.1.20060mdk.i586.rpm
 4d4e9c474520e55710458666c1624c24 2006.0/SRPMS/bluez-utils-2.19-7.1.20060mdk.src.rpm
 Mandriva Linux 2006.0/X86_64:
 cf217ff41df2f2abd65b86c12c15177a 2006.0/x86_64/bluez-utils-2.19-7.1.20060mdk.x86_64.rpm
 26b6a142c00e22cb4fcb737f724b0bc1 2006.0/x86_64/bluez-utils-cups-2.19-7.1.20060mdk.x86_64.rpm
 4d4e9c474520e55710458666c1624c24 2006.0/SRPMS/bluez-utils-2.19-7.1.20060mdk.src.rpm

RHEL 4: new bluez-utils packages.
New packages are available:
Red Hat Enterprise Linux version 4: bluez-utils-2.10-2.2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.