ID

VAR-202103-0609


CVE

CVE-2021-21367


TITLE

elementary OS  for  Switchboard Bluetooth Plug  Authentication Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2021-004622

DESCRIPTION

Switchboard Bluetooth Plug for elementary OS from version 2.3.0 and before version version 2.3.5 has an incorrect authorization vulnerability. When the Bluetooth plug is running (in discoverable mode), Bluetooth service requests and pairing requests are automatically accepted, allowing physically proximate attackers to pair with a device running an affected version of switchboard-plug-bluetooth without the active consent of the user. By default, elementary OS doesn't expose any services via Bluetooth that allow information to be extracted by paired Bluetooth devices. However, if such services (i.e. contact list sharing software) have been installed, it's possible that attackers have been able to extract data from such services without authorization. If no such services have been installed, attackers are only able to pair with a device running an affected version without authorization and then play audio out of the device or possibly present a HID device (keyboard, mouse, etc...) to control the device. As such, users should check the list of trusted/paired devices and remove any that are not 100% confirmed to be genuine. This is fixed in version 2.3.5. To reduce the likelihood of this vulnerability on an unpatched version, only open the Bluetooth plug for short intervals when absolutely necessary and preferably not in crowded public areas. To mitigate the risk entirely with unpatched versions, do not open the Bluetooth plug within switchboard at all, and use a different method for pairing devices if necessary (e.g. `bluetoothctl` CLI). DanielForé switchboard-plug-bluetooth is (DanielForé) an open source application software. A power strip bluetooth plug

Trust: 1.8

sources: NVD: CVE-2021-21367 // JVNDB: JVNDB-2021-004622 // VULHUB: VHN-379148 // VULMON: CVE-2021-21367

AFFECTED PRODUCTS

vendor:elementarymodel:switchboard bluetooth plugscope:ltversion:2.3.5

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:elementarymodel:switchboard bluetooth plugscope:gteversion:2.3.0

Trust: 1.0

vendor:elementarymodel:switchboard bluetooth plugscope: - version: -

Trust: 0.8

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-004622 // NVD: CVE-2021-21367

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-21367
value: HIGH

Trust: 1.0

security-advisories@github.com: CVE-2021-21367
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-21367
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202103-905
value: HIGH

Trust: 0.6

VULHUB: VHN-379148
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-21367
severity: MEDIUM
baseScore: 4.3
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 5.5
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-379148
severity: MEDIUM
baseScore: 4.3
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 5.5
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-21367
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2021-21367
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-21367
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-379148 // JVNDB: JVNDB-2021-004622 // CNNVD: CNNVD-202103-905 // NVD: CVE-2021-21367 // NVD: CVE-2021-21367

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.1

problemtype:Bad authentication (CWE-863) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-379148 // JVNDB: JVNDB-2021-004622 // NVD: CVE-2021-21367

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202103-905

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202103-905

PATCH

title:FEDORA-2021-3dedd41a06 Fedora Update Notificationurl:https://github.com/elementary/switchboard-plug-bluetooth/commit/86500e645a907538abafe5225b67cc12c03e7645

Trust: 0.8

title:Switchboard Bluetooth Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=144324

Trust: 0.6

sources: JVNDB: JVNDB-2021-004622 // CNNVD: CNNVD-202103-905

EXTERNAL IDS

db:NVDid:CVE-2021-21367

Trust: 2.6

db:JVNDBid:JVNDB-2021-004622

Trust: 0.8

db:CNNVDid:CNNVD-202103-905

Trust: 0.7

db:VULHUBid:VHN-379148

Trust: 0.1

db:VULMONid:CVE-2021-21367

Trust: 0.1

sources: VULHUB: VHN-379148 // VULMON: CVE-2021-21367 // JVNDB: JVNDB-2021-004622 // CNNVD: CNNVD-202103-905 // NVD: CVE-2021-21367

REFERENCES

url:https://github.com/elementary/switchboard-plug-bluetooth/security/advisories/ghsa-5p3g-j69g-w2mq

Trust: 1.8

url:https://github.com/elementary/switchboard-plug-bluetooth/commit/86500e645a907538abafe5225b67cc12c03e7645

Trust: 1.8

url:https://github.com/elementary/switchboard-plug-bluetooth/releases/tag/2.3.5

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-21367

Trust: 1.4

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/av7wko5szhtf3qemx4wz576hrecig6vq/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/o7tcgm4b45vlujdce5phfya5kbnhd4ra/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/swuppvfg76pxqa3ahsgkyprmvz5ayhzi/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/o7tcgm4b45vlujdce5phfya5kbnhd4ra/

Trust: 0.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/swuppvfg76pxqa3ahsgkyprmvz5ayhzi/

Trust: 0.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/av7wko5szhtf3qemx4wz576hrecig6vq/

Trust: 0.8

url:https://vigilance.fr/vulnerability/switchboard-bluetooth-plug-information-disclosure-via-incorrect-authorization-34872

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/198171

Trust: 0.1

sources: VULHUB: VHN-379148 // VULMON: CVE-2021-21367 // JVNDB: JVNDB-2021-004622 // CNNVD: CNNVD-202103-905 // NVD: CVE-2021-21367

SOURCES

db:VULHUBid:VHN-379148
db:VULMONid:CVE-2021-21367
db:JVNDBid:JVNDB-2021-004622
db:CNNVDid:CNNVD-202103-905
db:NVDid:CVE-2021-21367

LAST UPDATE DATE

2024-08-14T14:25:26.822000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-379148date:2021-03-23T00:00:00
db:VULMONid:CVE-2021-21367date:2021-03-23T00:00:00
db:JVNDBid:JVNDB-2021-004622date:2021-11-25T06:54:00
db:CNNVDid:CNNVD-202103-905date:2021-03-24T00:00:00
db:NVDid:CVE-2021-21367date:2023-11-07T03:29:58.627

SOURCES RELEASE DATE

db:VULHUBid:VHN-379148date:2021-03-12T00:00:00
db:VULMONid:CVE-2021-21367date:2021-03-12T00:00:00
db:JVNDBid:JVNDB-2021-004622date:2021-11-25T00:00:00
db:CNNVDid:CNNVD-202103-905date:2021-03-12T00:00:00
db:NVDid:CVE-2021-21367date:2021-03-12T17:15:12.753