Information disclosure in Apple Magic Keyboard Firmware
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-0230 |
| CWE-ID | CWE-312 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Magic Keyboard Firmware Hardware solutions / Firmware |
| Vendor | Apple Inc. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU85311
Risk: Low
CVSSv4.0: 0.9 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2024-0230
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: Yes
DescriptionThe vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to the way Bluetooth pairing key is stored on the device. An attacker with physical access to the accessory can extract its Bluetooth pairing key and monitor Bluetooth traffic.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMagic Keyboard Firmware: before 2.0.6
CPE2.3 External linkshttps://support.apple.com/en-us/HT214050
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
