Two vulnerabilities, dubbed “BLEEDINGBIT”, have been discovered in Bluetooth chips found in access points manufactured by Cisco, Meraki, and Aruba that provide WiFi service in enterprises. Successful exploitation of these vulnerabilities allows for unauthenticated attackers to take control of the devices.
The Masergy Threat Intelligence Team is not aware of any exploitation of these vulnerabilities being reported.
- CVE-2018-16986 – remote code execution
- CVE-2018-7080 – RCE via over-the-air downloads (OAD)
The following Texas Instruments chips are affected:
- CC2640 (non-R2) with BLE-STACK version 2.2.1 or earlier
- CC2650 with BLE-STACK version 2.2.1 or earlier
- CC2640R2 with BLE-STACK version 1.0 or earlier
The following Cisco & Meraki Access Points are affected:
- 1542 AP
- 1815 AP
- 4800 AP
The following Texas Instrument chips are affected:
The following Aruba Access Points are affected:
- Aruba series 300 APs (OAD issue)
BLEEDINGBIT RCE vulnerability (CVE-2018-16986)
CVE-2018-16986 is a RCE (Remote Code Execution) vulnerability in BLE (Bluetooth Low Energy) TI chips that are utilized in some WiFi access points. This vulnerability can be exploited provided that BLE is enabled, and the attacker is within range to transmit traffic.
In order to exploit the vulnerability, the attacker first loads the payload into the memory of the BLE chip by using BLE broadcast messages. Once the payload is loaded, the attacker sends the overflow packet which is a crafted packet designed to trigger a memory overflow and execute the previously loaded payload. With this capability, an attacker could install a backdoor and possibly alter the functionality of the main processor leading to full control of the device.
BLEEDINGBIT OAD RCE vulnerability (CVE-2018-7080)
CVE-2018-7080 allows for backdoor access by taking advantage of the device’s over-the-air downloads (OAD) feature. The purpose of OAD is to update devices remotely by connecting to them with a preset password, and is not recommended for use by vendors. An attacker can learn the password by sniffing the network when a legitimate update comes, or by reverse engineering the device. With the OAD access code, the attacker can create and push fraudulent firmware updates to nearby devices thus creating backdoor access.
We recommend the following actions be taken:
- Upgrade affected devices to version 2.2.2 of BLE-STACK
- Disable the OAD feature in production environments
- Armis: https://armis.com/bleedingbit/
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16986
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7080
- US-CERT: https://www.kb.cert.org/vuls/id/317277
- Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
- Aruba: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-006.txt