Attacker Value
Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Adjacent_network
2

CVE-2024-21306

Disclosure Date: January 09, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Microsoft Bluetooth Driver Spoofing Vulnerability

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

CVE-2024-21306 is part of a series of vulnerabilities affecting the Bluetooth stacks in multiple operating systems, allowing attackers to pair a virtual Bluetooth keyboard without authentication or user confirmation.

This vulnerability impacts Windows systems when a Bluetooth keyboard has been paired with the computer and is either powered off or out of range. In this case, the Windows system can be exploited if the user interacts with a malicious pairing request in any way (clicking accept, reject, or close). This vulnerability has been fixed in the January 2024 Patch Tuesday updates for Windows 10, 11, and Server 2022.

This is part of a broader issue with Bluetooth vulnerabilities across various platforms, including Android, Linux, macOS, and iOS, each having its own conditions and methods of exploitation. The vulnerabilities generally allow for keystroke injection, posing significant security risks.

CVSS V3 Severity and Metrics
Base Score:
5.7 Medium
Impact Score:
3.6
Exploitability Score:
2.1
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • microsoft

Products

  • windows 10 21h2,
  • windows 10 22h2,
  • windows 11 21h2,
  • windows 11 22h2,
  • windows 11 23h2,
  • windows server 2022,
  • windows server 2022 23h2

Additional Info

Technical Analysis