CVE-2020-15238: Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argumen...

Description

Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name. Patches are included in 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept BlueZ network object paths instead of network interface names. A backport to 2.0(.8) is also available. As a workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules.

Metrics

CVSS 3.1

7/10

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

4.54%

90.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Blueman Project	Blueman	< 2.1.4
Debian	Debian Linux	9.0
Debian	Debian Linux	10.0
Fedoraproject	Fedora	31
Fedoraproject	Fedora	32
Fedoraproject	Fedora	33

References

http://packetstormsecurity.com/files/159740/Blueman-Local-Root-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287Exploit, Issue Tracking, Third Party Advisory
https://github.com/blueman-project/blueman/releases/tag/2.1.4Third Party Advisory
https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwxThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00005.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3F4EQU6CAPBKAPJ42HTB473NJLXFKB32/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFLMNHAHX5HPIKC5IG6F25HO5Z6RH2N/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W52NP7HRFTNAVNZLGKY4GR3JIZG5KKGS/
https://security.gentoo.org/glsa/202011-11Third Party Advisory
https://www.debian.org/security/2020/dsa-4781Third Party Advisory
http://packetstormsecurity.com/files/159740/Blueman-Local-Root-Privilege-Escalation.htmlExploit, Third Party Advisory, VDB Entry
https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287Exploit, Issue Tracking, Third Party Advisory
https://github.com/blueman-project/blueman/releases/tag/2.1.4Third Party Advisory
https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwxThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00005.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3F4EQU6CAPBKAPJ42HTB473NJLXFKB32/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFLMNHAHX5HPIKC5IG6F25HO5Z6RH2N/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W52NP7HRFTNAVNZLGKY4GR3JIZG5KKGS/
https://security.gentoo.org/glsa/202011-11Third Party Advisory
https://www.debian.org/security/2020/dsa-4781Third Party Advisory

Timeline

Published: Oct 27, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15238?

Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name. Patches are included in 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept BlueZ network object paths instead of network interface names. A backport to 2.0(.8) is also available. As a workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules.

How severe is CVE-2020-15238?

CVE-2020-15238 has a CVSS score of 7/10 (HIGH severity). The EPSS model estimates a 4.54% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15238?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.