CERT-EU - BLEEDINGBIT - Vulnerabilities Affecting Enterprise WiFi Devices

Release Date: 05-11-2018 15:43:00

BLEEDINGBIT - Vulnerabilities Affecting Enterprise WiFi Devices

History:

05/11/2018 --- v1.0 -- Initial publication

Summary

Security researchers disclosed details about two critical vulnerabilities related to the use of BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI). The vulnerable BLE chips are embedded in WiFi network equipment from Cisco, Meraki and Aruba Networks [1]. Dubbed BleedingBit, the two vulnerabilities could allow remote attackers to execute arbitrary code and take full control of vulnerable devices without authentication.

Technical Details

The first vulnerability -- CVE-2018-16986 -- is a Remote Code Execution (RCE) vulnerability. Attackers can send multiple benign BLE broadcast messages, called advertising packets, which are stored in the memory of the vulnerable chip. As long as BLE is enabled on the target device, those packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. When exploited, attackers are able to trigger memory corruption in the BLE stack of the chip, remotely executing malicious code [2].

The second vulnerability, identified as CVE-2018-7080, is basically a leftover development backdoor tool. That backdoor helps during the development stage to push over-the-air downloads (OAD) of the firmware. The function is intended for updating the devices remotely by connecting to them with a preset password.

Products Affected

The vulnerable chips are typically found in access points that provide WiFi service. They are also present in medical devices (insulin pumps, pacemakers), smart locks and a variety of other types of products that rely on Bluetooth Low Energy (BLE) technology for communication.

Devices Affected by the RCE Vulnerability (CVE-2018-16986)

The security vulnerability CVE-2018-16986 is present in these TI chips, when scanning is used (e.g., observer role or central role that performs scanning) in the following device/software combinations:

CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version; or
CC2650 with BLE-STACK version 2.2.1 or an earlier version; or
CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0); or
CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or an earlier version.

Affected Access Points

Cisco APs (RCE vulnerability):

Cisco 1800i Aironet Access Points
Cisco 1810 Aironet Access Points
Cisco 1815i Aironet Access Points
Cisco 1815m Aironet Access Points
Cisco 1815w Aironet Access Points
Cisco 4800 Aironet Access Points
Cisco 1540 Aironet Series Outdoor Access Point

Meraki APs (RCE vulnerability):

Meraki MR30H AP
Meraki MR33 AP
Meraki MR42E AP
Meraki MR53E AP
Meraki MR74

Devices Affected by the Backdoor Vulnerability (CVE-2018-7080)

The vulnerability for CVE-2018-7080 affects any of the following TI’s BLE chips provided the vendor choose to include the OAD feature in his device.

cc2642r
cc2640r2
cc2640
cc2650
cc2540
cc2541

Affected Access Points

AP-3xx and IAP-3xx series access points
AP-203R
AP-203RP
ArubaOS 6.4.4.x prior to 6.4.4.20
ArubaOS 6.5.3.x prior to 6.5.3.9
ArubaOS 6.5.4.x prior to 6.5.4.9
ArubaOS 8.x prior to 8.2.2.2
ArubaOS 8.3.x prior to 8.3.0.4

Aside from the devices listed above, the researchers are not aware of any other networking equipment that is affected. They advise visiting the CERT/CC advisory page for the latest information [3].