Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

New Bluetooth Vulnerabilities Exposed in Aruba, Cisco, Meraki Access Points

'BleedingBit' could give attackers control of the wireless network from a remote vantage point.

Updated 11/5/2018 11:30AM with comments from Cisco

Wi-Fi access points and other devices using Bluetooth Low Energy (BLE) chips made by Texas Instruments contain vulnerabilities that could allow an attacker to take control of the wireless network.

The vulnerable TI chips are used in Wi-Fi access points made by Aruba, Cisco, and Meraki — vendors that together account for nearly 70% of the enterprise WiFi access point (AP) market.

Researchers at Armis, an IoT security firm, found two new, separate vulnerabilities in TI CC2640/50 and TI cc2540/1 chips. Dubbed "BleedingBit" by the researchers, the vulnerabilities allow exploits in two different attacks.

Ben Seri, vice president of research at Armis, says the first vulnerability, CVE-2018-16986, is an overflow in the field that stores "advertising packets" sent by devices in the AP's area to let the AP know that the device is there. [Author's Note: As of 11/5/2018, the listed CVE points to a reserved page with no additional info. It is, however, the CVE provided by Armis, Cisco, and CERT. CVE-2018-15454 was filed by MITRE and describes the same vulnerability.]

"It's supposed to be six bits, but these chips look at two additional bits that are supposed to be zero," Seri says. If an attacker sends a number of well-formed advertising packets containing code, and then a malformed packet with a "one" in either of those two extra bit places, it results in a stack overflow that could allow execution of all that earlier-delivered code.

What kind of code could be delivered? One possibility is a backdoor that would allow the attacker complete access to the device. At that point, "The attack can move from the BLE chip to the rest of the network," Seri says.

The second vulnerability, CVE-2018-7080, affects only Aruba APs, but can deliver larger payload in a single step. Aruba included an over-the-air download (OAD) feature through BLE as a tool for use in the development process. When that feature is left active in a production system, an attacker can obtain the hardcoded password and use the feature to completely rewrite the AP's operating system.

The true problem with both of these vulnerabilities, says Seri, is, "There's nothing looking at BLE as an attack vector. No one considers this a risk surface, so it's a complete blind spot from an organizational perspective."

Seri and Armis security researcher Dor Zusman will discuss their chip findings on in detail in the session "BLEEDINGBIT: Your APs Belong to Us" at Black Hat Europe, December 3 - 6.

Both Cisco and Aruba have issued security bulletins covering the vulnerabilities. Seri says that other devices outside the parameters of this research may well have used the vulnerable devices, and might be exploitable with serious consequences.

Because of its position within the systems where it's employed, the BLE chip can provide a very powerful point of entry for an attacker."In your smartwatch and home control, the BLE chip can be the only chip on the system," Seri says. "An insulin pump might have only the BLE chip, so gaining access to the chip automatically gives full control over the device."

Cisco responded to this article with the following:

"Cisco has identified a limited number of Aironet Access Points and Meraki Access Points that could potentially be affected by this third-party software issue - when certain conditions are met. An attack attempt would require adjacent proximity to the device, that the BLE feature be enabled, and for scanning mode to be enabled. Scanning is disabled by default for all of our potentially affected products, and the BLE feature is disabled by default on the potentially affected Aironet devices.

Fixed software was published for all of Cisco’s affected products prior to Nov. 1. A PSIRT advisory was published at the time of the researcher’s disclosure Nov. 1 via our established disclosure page. Meraki also has published an advisory in the customer dashboard, and documentation is available to disable to involved settings.  

Links to relevant content are as follows:

Cisco Statement

Cisco is aware of the third-party software vulnerability in the Bluetooth Low Energy (BLE) Stack on select chips that affects multiple vendors. When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco has identified a limited number of Aironet and Meraki Access Points which, under certain conditions, may be vulnerable to this issue.

Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. Fixed software is available for all affected Cisco products. Cisco is not aware of any malicious use of the vulnerability.”

Related Content:

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.