Buzz
Dubbed as BleedingBit, this pair of vulnerabilities can allow attackers to remotely execute arbitrary code and gain complete control over vulnerable devices without authentication, including medical devices like insulin pumps and pacemakers, point-of-sale devices, and IoT devices.
Warning: Vulnerability in Bluetooth chips exposes millions of devices to remote attacks
Discovered by security researchers at the Israeli security firm Armis, these vulnerabilities exist in the stack of Texas Instruments (TI) Bluetooth Low Energy (BLE) chips and are currently being used by Cisco, Meraki, and Aruba in their product lines.
Guide to firmware upgrade for DLink Router
Guide to firmware upgrade for Vigor Router
Last year, Armis security firm also discovered BlueBorne, a collection of 9 zero-day vulnerabilities related to Bluetooth on Android, Windows, Linux, and iOS affecting billions of devices, including smartphones, laptops, TVs, watches, and car audio systems.
The first BleedingBit RCE vulnerability affecting BLE chips (CVE-2018-16986) is prone to exploitation
The first vulnerability identified as CVE-2018-16986 exists in TI CC2640 and CC2650 chips and affects numerous Wifi access points from Cisco and Meraki. This vulnerability exploits weaknesses in the process of Bluetooth chip data analysis.
According to researchers, if the access traffic sent to the BLE chip exceeds the limit, it can cause a memory error, commonly known as a buffer overflow attack, allowing attackers to execute malicious code on the affected device.
Specifically, the attacker first sends advertisement packets, stored in vulnerable BLE chip memory on the targeted device, to activate BLE broadcasting. Subsequently, the attacker proceeds to send overflow packets, or a standard advertisement packet configured to be more aggressive, altering the header to ON instead of OFF. This causes the chip to allocate more memory, triggering a critical memory overflow.
Guide to firmware upgrade for TP Link Router
Guide to firmware upgrade for Asus Router
Guide to firmware upgrade for Tenda Router
However, it's important to note that the initial attack requires the attacker's device to be near the targeted device. Once the victim's device is compromised, the attacker can control access points, block network traffic, install backdoors on chips, or launch multiple attacks on other devices connected via the Internet.
The second BleedingBit OAD RCE vulnerability affecting BLE chips (CVE-2018-7080)
The second vulnerability identified as CVE-2018-7080, found in TI CC2642R2, CC2640R2, CC2640, CC2650, CC2540, and CC2541 chips, affects Aruba's Series 300 Wifi access points.
The cause of this vulnerability lies in a flaw in Texas Instruments' firmware update feature for BLE chips called Over the Air firmware Download (OAD).
Since all Aruba access points share the same OAD password, which can be sniffed through legitimate updates or via Aruba's BLE firmware, attackers can deliver malicious updates to targeted access points and take control of the victim device's operating system.
According to researchers, by default the OAD feature is not configured to automatically update secure firmware updates. The feature utilizes a simple firmware update mechanism, running on BLE chips via GATT transactions. Attackers can connect to vulnerable BLE chips on compromised access points and upload their own malware containing their code, allowing them to rewrite the entire operating system and take control of the victim device.
Related vulnerability patches
Armis discovered these BleedingBit vulnerabilities earlier this year and reported to all affected vendors in June. Additionally, the security firm reached out and collaborated with affected parties to provide vulnerability patch updates.
Texas Instruments has also confirmed security vulnerabilities and plans to release vulnerability patches for the affected hardware on Thursday. These patch releases will be available through corresponding OEMs.
Cisco, the company that also owns Meraki, has released BLE-STACK 2.2.2 version for three Aironet Series wireless access points (1542 AP, 1815 AP, 4800 AP) and Meraki access points (MR33, MR30H, MR74, MR53E) on Thursday to address CVE-2018-16986 vulnerability.
Aruba has released security patches for Aruba 3xx access points and IAP-3xx to address CVE-2018-7080 vulnerability.
Additionally, both Cisco and Aruba have confirmed that their devices will have Bluetooth disabled by default, and there is no information suggesting these vulnerabilities are being exploited in the wild.
Presently, Windows Defender encountering an issue demanding a system restart to activate Sandbox has caused quite a bit of inconvenience for some users utilizing this Windows security system. Hopefully, Microsoft will release a patch to address this issue in the near future.
