Marc Newlin, uyo akawana kusagadzikana MouseJack makore manomwe apfuura, akaburitsa ruzivo nezve kufanana kusagadzikana (CVE-2023-45866), zvichikanganisa maBluetooth stacks Android, Linux, macOS uye iOS. Kusagadzikana uku kunobvumira kunyengedzwa kwekiyi nekutevera mashandiro emudziyo wekupinda wakabatana neBluetooth. Nekuwana mukana wekupinda mukhibhodi, murwisi anogona kuita zviito zvakasiyana-siyana, zvakaita sekuita mirairo yesystem, kuisa maapplication, uye kutumira mameseji.
Kusagadzikana uku kunokonzerwa neanogamuchira HID (Human Interface Chishandiso) madhiraivha eBluetooth zvishandiso zvine modhi inobvumira iri kure peripheral mudziyo kugadzira uye kumisikidza yakavharidzirwa yekubatanidza pasina humbowo. Aya maturusi akabatana anogona kutumira mameseji ekhibhodi uye HID stack inoagadzirisa, achivhura musuwo kune yakanyarara HID meseji spoofing kurwisa. Kurwiswa uku kunogona kuitwa chinhambwe chinosvika 100 metres kubva kune akabatwa.
Maitiro ekubatanidza zvishandiso zvisina kusimbiswa anotsanangurwa muBluetooth specification uye, zvichienderana nemagadzirirwo eBluetooth stack, anobvumira mudziyo kubatana pasina kusimbiswa kubva kumushandisi. Semuenzaniso, mu Linux, kana uchishandisa BlueZ Bluetooth stack, pakubatanidza zvinhu zvisiri pamutemo, adapta yeBluetooth inofanira kunge iri mu discovery uye connection mode. Android Zvakakwana kugonesa rutsigiro rweBluetooth. Mu iOS uye macOS Kuti kurwiswa kubudirire, Bluetooth inofanira kushanda uye kiyibodi isina waya inofanira kubatana.
Mikana yekutsiva zvinhu zvakaiswa yakaratidzwa mu Ubuntu 18.04, 20.04, 22.04, uye 23.10 ine Bluetooth stack yakavakirwa paBlueZ package. ChromeOS haina njodzi, sezvo magadzirirwo ayo eBluetooth stack asingabvumidze kubatana pasina kusimbiswa. Android Kusagadzikana uku kunokanganisa zvishandiso zvine shanduro dzepuratifomu kubva pa4.2.2 kusvika 14. macOS Kusagadzikana kwakaratidzwa paMacBook Pro ye2022 neApple M2 processor uye macOS 13.3.3, pamwe chete neMacBook Air 2017 ine Intel processor uye macOS 12.6.7. Mu iOS, kushaya simba kwakaratidzwa pa iPhone SE ine iOS 16.6. Kugonesa Lockdown mode hakupe dziviriro kubva pakurwiswa pa macOS uye iOS.
В Linux vulnerability yakabviswa muBluez codebase nekuisa iyo "ClassicBondedOnly" yekumisikidza ku "yechokwadi", ichigonesa yakachengeteka modhi inobvumira chete kubatana kuti kuitwe mushure mekubatanidza. Kare, izvi zvakagadzirirwa "kunyepa", izvo, nekuda kwekuenderana nemimwe michina yekupinza, yakaderedza mwero wekuchengetedza.
MuFluoride Bluetooth stack inoshandiswa mushanduro dzazvino Android, kusagadzikana kwakagadziriswa nekuraira kusimbiswa kwekubatanidza kwese kwakavanzika. Android dzakaburitswa chete kumapazi 11-14. Pamidziyo yePixel, dambudziko racho rakagadziriswa mukuvandudzwa kwefirmware muna Zvita. Android Kubva pa4.2.2 kusvika pa10, kushaya simba kunoramba kwakaratidzwa.
Source: linux.org.ru
