CVE-2021-3658 : Security Advisory and Response

Bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.

Understanding CVE-2021-3658

This CVE-2021-3658 vulnerability affects the 'bluez' product.

What is CVE-2021-3658?

CVE-2021-3658 is a vulnerability in bluetoothd from bluez that mishandles the Discoverable status of adapters, potentially exposing the bluetooth stack to nearby attackers.

The Impact of CVE-2021-3658

The vulnerability could allow physically nearby attackers to exploit the mishandling of Discoverable status, leading to potential security risks and exposure of sensitive information.

Technical Details of CVE-2021-3658

The following technical details outline the vulnerability in more depth.

Vulnerability Description

The issue arises from the incorrect saving and restoration of adapters' Discoverable status by bluetoothd from bluez.

Affected Systems and Versions

Product: bluez
Vendor: Not applicable
Affected Versions: Fixed in 5.61 and above

Exploitation Mechanism

Attackers could exploit this vulnerability by taking advantage of the mishandled Discoverable status to gain unauthorized access to the bluetooth stack.

Mitigation and Prevention

To safeguard systems from CVE-2021-3658, immediate steps can be taken along with long-term security practices.

Immediate Steps to Take

Update bluez to version 5.61 or above to address the vulnerability.
Monitor bluetooth activity for any suspicious behavior.

Long-Term Security Practices

Regularly update software and firmware to patch vulnerabilities.
Implement network segmentation to limit potential attack surfaces.

Patching and Updates

Stay informed about security advisories and apply patches promptly to ensure ongoing protection.