CVE-2021-21367

Name of the Vulnerable Software and Affected Versions Switchboard Bluetooth Plug for elementary OS versions 2.3.0 through 2.3.5

Description The issue allows physically proximate attackers to pair with a device running an affected version of switchboard-plug-bluetooth without the active consent of the user, potentially extracting data from installed services or controlling the device. By default, elementary OS doesn't expose services that allow information extraction via Bluetooth, but installed services like contact list sharing software may be vulnerable. Attackers may also play audio or present a HID device to control the device. Users should check and remove unconfirmed paired devices.

Recommendations For versions prior to 2.3.5, to mitigate the risk entirely, do not open the Bluetooth plug within switchboard at all, and use a different method for pairing devices if necessary, such as the bluetoothctl CLI. To reduce the likelihood of this issue on unpatched versions, only open the Bluetooth plug for short intervals when absolutely necessary and preferably not in crowded public areas. For the best resolution, update to version 2.3.5 or later.