Title

Web Bluetooth API must be disabled. (Cat II impact)

Discussion

Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices. Leaving the policy unset lets sites ask for access, but users can change this setting. 2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API 3 = Allow sites to ask the user to grant access to a nearby Bluetooth device

Check Content

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If DefaultWebBluetoothGuardSetting is not displayed under the Policy Name column or it is not set to 2 under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the DefaultWebBluetoothGuardSetting value name does not exist or its value data is not set to 2, then this is a finding.

Fix Text

Windows group policy: 1. Open the “group policy editor” tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings Policy Name: Control use of the Web Bluetooth API Policy State: Enabled Policy Value: Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API

Additional Identifiers

Rule ID: SV-241787r879587_rule

Vulnerability ID: V-241787

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.