Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-21306

CVE-2024-21306: Windows 10 21H2 Bluetooth Spoofing Flaw

CVE-2024-21306 is a spoofing vulnerability in the Microsoft Bluetooth driver for Windows 10 21H2 that could allow attackers to impersonate trusted devices. This article covers technical details, affected systems, and mitigations.

Updated:

CVE-2024-21306 Overview

CVE-2024-21306 is a spoofing vulnerability in the Microsoft Bluetooth Driver that affects multiple versions of Windows 10, Windows 11, and Windows Server 2022. This vulnerability, classified under CWE-306 (Missing Authentication for Critical Function), allows an attacker on an adjacent network to spoof Bluetooth communications without requiring any privileges, though user interaction is required for successful exploitation.

Critical Impact

An attacker within Bluetooth range could exploit this vulnerability to spoof legitimate Bluetooth devices, potentially enabling unauthorized keystroke injection or data manipulation on affected Windows systems.

Affected Products

  • Microsoft Windows 10 21H2
  • Microsoft Windows 10 22H2
  • Microsoft Windows 11 21H2
  • Microsoft Windows 11 22H2
  • Microsoft Windows 11 23H2
  • Microsoft Windows Server 2022
  • Microsoft Windows Server 2022 23H2

Discovery Timeline

  • January 9, 2024 - CVE-2024-21306 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2024-21306

Vulnerability Analysis

This Bluetooth driver spoofing vulnerability stems from missing authentication for critical functions within the Microsoft Bluetooth driver stack. The vulnerability allows an attacker positioned on an adjacent network (within Bluetooth range) to impersonate legitimate Bluetooth devices without proper authentication verification.

The attack requires low complexity to execute but does require some form of user interaction to be successful. While the vulnerability does not impact system confidentiality or availability, it poses a high risk to integrity, meaning attackers could potentially inject malicious input or manipulate data being transmitted over Bluetooth connections.

The vulnerability is particularly concerning for environments where Bluetooth Human Interface Devices (HID) such as keyboards and mice are in use, as successful exploitation could allow keystroke injection attacks.

Root Cause

The root cause of CVE-2024-21306 is CWE-306: Missing Authentication for Critical Function. The Microsoft Bluetooth driver fails to properly authenticate Bluetooth device connections in certain scenarios, allowing unauthorized devices to spoof legitimate peripherals. This authentication bypass enables malicious actors to establish connections that should require proper device verification.

Attack Vector

The attack vector for this vulnerability is Adjacent Network, specifically requiring the attacker to be within Bluetooth radio range of the target system. The attacker would need to:

  1. Position themselves within Bluetooth range of the target Windows device
  2. Set up a malicious Bluetooth device configured to spoof a legitimate peripheral
  3. Wait for or trigger user interaction that facilitates the spoofed connection
  4. Once connected, inject malicious keystrokes or manipulate Bluetooth communications

The vulnerability does not require any authentication or elevated privileges on the attacker's part. However, the requirement for user interaction limits the attack to scenarios where a victim takes some action that enables the spoofed connection to be established.

Detection Methods for CVE-2024-21306

Indicators of Compromise

  • Unexpected Bluetooth device pairing requests or connections appearing in Windows Bluetooth settings
  • Unusual keyboard or mouse activity that does not correspond to legitimate user input
  • Multiple Bluetooth devices with identical or similar names appearing in device discovery
  • Bluetooth connection logs showing devices connecting without explicit user-initiated pairing

Detection Strategies

  • Monitor Windows Event Logs for Bluetooth-related events, particularly device connection and pairing activities under the Microsoft-Windows-Bluetooth event provider
  • Implement endpoint detection rules to alert on rapid or automated keystroke sequences that may indicate injection attacks
  • Deploy SentinelOne Singularity Platform to detect behavioral anomalies associated with HID-based attacks
  • Audit paired Bluetooth devices regularly to identify any unauthorized or unknown peripherals

Monitoring Recommendations

  • Enable verbose logging for Bluetooth driver activities in Windows Event Viewer
  • Configure security monitoring tools to alert on new Bluetooth device connections in sensitive environments
  • Implement device inventory management to track and validate all authorized Bluetooth peripherals
  • Deploy network-level monitoring for Bluetooth communications in high-security areas

How to Mitigate CVE-2024-21306

Immediate Actions Required

  • Apply the January 2024 Windows security updates from Microsoft immediately on all affected systems
  • Review and remove any unknown or unauthorized Bluetooth devices from the paired devices list
  • Consider disabling Bluetooth functionality on systems where it is not required
  • Implement physical security measures to limit unauthorized proximity access in sensitive areas

Patch Information

Microsoft has released security updates to address CVE-2024-21306 as part of the January 2024 Patch Tuesday release. Organizations should apply the appropriate cumulative update for their Windows version. Detailed patch information and download links are available in the Microsoft Security Update Guide.

The security update addresses the authentication bypass by implementing proper device verification mechanisms within the Bluetooth driver stack.

Workarounds

  • Disable Bluetooth functionality through Windows Settings or Device Manager on systems that do not require Bluetooth connectivity
  • Use Group Policy to restrict Bluetooth device pairing in enterprise environments
  • Implement Bluetooth device whitelisting where supported to prevent unauthorized device connections
  • Deploy physical security controls to restrict access to Bluetooth-enabled workstations in sensitive areas
bash
# Disable Bluetooth service via PowerShell (run as Administrator)
Stop-Service -Name "bthserv" -Force
Set-Service -Name "bthserv" -StartupType Disabled

# Alternatively, disable Bluetooth adapter via PowerShell
Get-PnpDevice | Where-Object {$_.FriendlyName -like "*Bluetooth*"} | Disable-PnpDevice -Confirm:$false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne