Two critical vulnerabilities have been disclosed in Bluetooth Low Energy (BLE) chips which is embedded in millions of access points and networking devices used by enterprises worldwide.
The set of two flaws dubbed as BleedingBit, permits remote attackers to execute arbitrary code and get complete control of vulnerable devices without any authentication. This also includes medical devices like insulin pumps and pacemakers, and also point-of-sales and IoT devices.
The vulnerabilities have been discovered by the security researchers at Israeli security firm Armis. The vulnerabilities exist in Bluetooth Low Energy (BLE) Stack chips made by Texas Instruments (TI) that are being used by Cisco, Meraki, and Aruba in their enterprise line of products.
BleedingBit RCE Vulnerability (CVE-2018-16986)
The first vulnerability which has been identified as CVE-2018-16986, resides in TI chips CC2640 and CC2650 and affects many Cisco and Meraki’s Wi-Fi access points. This flaw utilizes the loophole in the way Bluetooth chips analyze incoming data.
When more traffic is being sent to a BLE chip than it is allowed to handle causes memory corruption which is popularly called as a buffer overflow attack. This permits the attacker to run harmful code on an affected device.
According to the researcher, first, the attacker sends several friendly BLE broadcast messages, called Advertising Packets, which will be stored on the vulnerable BLE chip’s memory of the targeted device. Then he sends the overflow packet, which is a standard advertising packet with a slight modification – a specific bit in its header turned ON instead of off. This bit makes the chip to allocate the information from the packet a larger space than it really needs, triggering an overflow of critical memory in the process.
For an initial attack, the attacker needs to be at a physical closeness to a targeted device and when it is compromised, they take control of the access point, allowing them to intercept network traffic, install persistent backdoor on the chip, or launch more attacks on other connected devices over the Internet.
BleedingBit OAD RCE Vulnerability (CVE-2018-7080)
The second vulnerability which has been identified as CVE-2018-7080, exists in CC2642R2, CC2640R2, CC2640, CC2650, CC2540, and CC2541 TI chips, and affects Aruba’s Wi-Fi access point Series 300. This flaw occurs due to an issue with Texas Instruments’ firmware update feature in BLE chips called Over the Air firmware Download (OAD).
All the Aruba access points share the same OAD password an attacker can send a harmful update to the targeted access point and rewrite its operating system, finally getting total control over the device.
Researchers explains that the OA feature is not automatically configured to address secure firmware updates by default. It permits an update mechanism of the firmware running on the BLE chip over a GATT transaction.
A hacker can connect to the BLE chip on a vulnerable access point and upload his own harmful code and rewrite its operating system, thereby gaining full control over it.
Information Regarding Patch
Armis found the BleedingBit vulnerabilities earlier this year and reported all affected vendors in June 2018. They have also worked with affected companies to make updates to address the issues.
Texas Instruments confirmed the vulnerabilities and released security patches for affected hardware on Thursday that will be available through respective OEMs.
Cisco, which also owns Meraki, released BLE-STACK version 2.2.2 for three Aironet Series wireless access points (1542 AP, 1815 AP, 4800 AP), and Meraki series access points (MR33, MR30H, MR74, MR53E), to address CVE-2018-16986.
Aruba has also released a security patch for its Aruba 3xx and IAP-3xx series access points to address the CVE-2018-7080 flaw.
Cisco and Aruba devices have Bluetooth disabled by default and no vendor is aware of anyone actively exploiting any of these zero-day vulnerabilities in the wild.