CVE-2023-35681 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-35681?

CVE-2023-35681 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on affected Android devices via Bluetooth without user interaction. It affects Android devices with Bluetooth enabled, potentially allowing attackers to take full control of vulnerable devices.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected Android devices via Bluetooth without user interaction. It affects Android devices with Bluetooth enabled, potentially allowing attackers to take full control of vulnerable devices.

💻 Affected Systems

Products:

Android devices with Bluetooth functionality

Versions: Android versions prior to September 2023 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with Bluetooth enabled are vulnerable by default. The vulnerability is in the Enhanced Attribute Protocol (EATT) implementation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, and persistent access to the device.

🟠

Likely Case

Remote code execution allowing attackers to install malware, steal sensitive data, or use the device as a pivot point in networks.

🟢

If Mitigated

Limited impact if Bluetooth is disabled or devices are patched, though unpatched devices remain vulnerable to nearby attackers.

🌐 Internet-Facing: LOW (requires Bluetooth proximity, not internet connectivity)

🏢 Internal Only: HIGH (attackers within Bluetooth range can exploit without authentication)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires Bluetooth proximity but no user interaction. The integer overflow in eatt_l2cap_reconfig_completed leads to out-of-bounds write.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: September 2023 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2023-09-01

Restart Required: Yes

Instructions:

1. Apply September 2023 Android Security Patch via Settings > System > System Update. 2. Reboot device after update. 3. Verify patch installation in Settings > About phone > Android security patch level.

🔧 Temporary Workarounds

Disable Bluetooth

android

Turn off Bluetooth functionality to prevent exploitation

adb shell settings put global bluetooth_on 0
Settings > Connected devices > Connection preferences > Bluetooth > Toggle off

Restrict Bluetooth visibility

android

Set Bluetooth to non-discoverable mode to reduce attack surface

adb shell settings put global bluetooth_discoverability 0
Settings > Connected devices > Connection preferences > Bluetooth > Device name > Turn off 'Make device discoverable'

🧯 If You Can't Patch

Disable Bluetooth completely when not in use
Implement network segmentation to isolate vulnerable devices from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If date is before September 2023, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows September 2023 or later. Check Bluetooth functionality remains operational after patch.

📡 Detection & Monitoring

Log Indicators:

Unusual Bluetooth connection attempts
Crash logs from Bluetooth stack (logcat)
Suspicious process creation following Bluetooth events

Network Indicators:

Anomalous Bluetooth traffic patterns
Unexpected Bluetooth pairing requests
Bluetooth protocol violations

SIEM Query:

source="android_logs" AND (process="bluetooth" OR process="com.android.bluetooth") AND (event="crash" OR event="exception")

📊 Metadata

CVE ID: CVE-2023-35681

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: September 11, 2023

Last Updated: November 21, 2024

🔗 References

https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d8d95291f16a8f18f8ffbd6322c14686897c5730 Vendor Advisory
https://source.android.com/security/bulletin/2023-09-01 Vendor Advisory
https://android.googlesource.com/platform/packages/modules/Bluetooth/+/d8d95291f16a8f18f8ffbd6322c14686897c5730 Vendor Advisory
https://source.android.com/security/bulletin/2023-09-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35681, you might also want to check these: