Login Sign Up

CVE-2020-15238

7.1 HIGH

📋 TL;DR

CVE-2020-15238 is an argument injection vulnerability in Blueman's D-Bus interface that allows local attackers to execute arbitrary commands with elevated privileges. The impact varies based on system configuration: with Polkit-1 disabled or on older versions, any local user can exploit it; with Polkit-1 enabled, exploitation requires membership in the wheel group. This vulnerability affects systems using Blueman for Bluetooth management.

💻 Affected Systems

Products:
  • Blueman Bluetooth Manager
Versions: All versions before 2.1.4
Operating Systems: Linux distributions with Blueman installed
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability severity depends on Polkit-1 configuration: systems with Polkit-1 disabled or versions before 2.0.6 are most vulnerable. Systems with ISC DHCP client (dhclient) allow interface manipulation, while systems with dhcpcd allow arbitrary script execution.

📦 What is this software?

Blueman by Blueman Project

View all CVEs affecting Blueman →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary command execution as root, including network interface manipulation, XDP/BPF program injection, or arbitrary script execution depending on DHCP client configuration.

🟠

Likely Case

Local privilege escalation allowing authenticated users to gain root access and potentially disrupt network services or execute limited commands.

🟢

If Mitigated

Limited to users already in the wheel group with Polkit-1 enabled, reducing the attack surface significantly.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Any local user on affected systems can potentially gain root privileges depending on configuration.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available in Packet Storm Security. Requires local access to the system. Exploitation is straightforward for attackers with the required privileges based on system configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.4

Vendor Advisory: https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx

Restart Required: No

Instructions:

1. Update Blueman to version 2.1.4 or later using your distribution's package manager. 2. For Ubuntu/Debian: sudo apt update && sudo apt upgrade blueman. 3. For other distributions, use the appropriate package manager command. 4. Verify the update was successful.

🔧 Temporary Workarounds

Enable and Configure Polkit-1

linux

Ensure Polkit-1 is enabled and restrict the org.blueman.dhcp.client action to trusted users only in the Polkit rules file.

sudo systemctl status polkit
sudo nano /usr/share/polkit-1/rules.d/blueman.rules

🧯 If You Can't Patch

  • Ensure Polkit-1 is enabled and properly configured to limit the org.blueman.dhcp.client action to users who already have root privileges.
  • Remove unnecessary users from the wheel group and restrict local access to systems running vulnerable Blueman versions.

🔍 How to Verify

Check if Vulnerable:

Check Blueman version: blueman-applet --version or dpkg -l | grep blueman. If version is earlier than 2.1.4, the system is vulnerable.

Check Version:

blueman-applet --version || dpkg -l | grep blueman || rpm -q blueman

Verify Fix Applied:

Verify Blueman version is 2.1.4 or later: blueman-applet --version. Check that the update was applied successfully.

📡 Detection & Monitoring

Log Indicators:

  • Unusual D-Bus calls to org.blueman.Mechanism.DhcpClient
  • Suspicious interface name arguments passed to dhclient or dhcpcd
  • Unexpected network interface changes or script executions

Network Indicators:

  • Sudden network interface changes on Bluetooth-enabled systems
  • Unexpected DHCP client activity

SIEM Query:

process_name:dhclient AND command_line:*link* OR process_name:dhcpcd AND command_line:*-c*

📊 Metadata

CVE ID: CVE-2020-15238
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L
CWE: CWE-74
Published: October 27, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15238, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)