Multiple Bluetooth Low-Energy microcontrollers from Texas Instruments (TI) were discovered to have one of two critical remote code execution vulnerabilities that can be exploited to compromise Wi-Fi access points from Cisco Systems, Cisco Meraki and Aruba Networks. But the two bugs could have even greater implications, as the scope of the threat likely extends beyond these network infrastructure devices.
Collectively referred to as Bleedingbit, the pair of flaws were discovered by researchers at Armis, who disclosed details of its findings on Nov .1, in conjunction with the CERT/CC at Carnegie Mellon University, which released its own security advisory. Around this same time, the various affected vendors began issuing updates designed to patch the issue. Texas Instruments had already separately addressed one of the two bugs in a previous BLE-STACK update earlier this year.
Because the flaws involve the over-the-air Bluetooth Low Energy protocol, they both can be exploited remotely via an "airborne attack" if the attacker is within proximity of the target device.
The first of the two bugs, CVE-2018-16986, is found in four chip models embedded in seven Cisco and five Meraki access points, and is the result of a memory corruption vulnerability stemming from the mishandling of malformed BLE advertising packets. Exploiting this error could allow nearby attackers to remotely hijack the access point from the proper user, using a specially crafted packet. Taking over this access point could then allow the actor to impact other devices as well.
The second vulnerability, CVE-2018-7080, affects multiple Aruba access points including its full 300 series -- manifesting itself whenever the device uses the TI chip's Over the Air firmware Download feature to receive firmware updates.
Normally, Aruba devices require the user to enter a hardcoded password to permit an update. "However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code, effectively allowing a completely rewrite its operating system, thereby gaining full control over it," warns Armis in a technical write-up.
"Bleedingbit is a wake-up call to enterprise security for two reasons," said Armis CEO Yevgeny Dibrov, in a press release. "First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation -- the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device."
Armis is warning that devices other than access points may also be affected. "In this instance, we have clearly identified how Bleedingbit impacts network devices," said Armis VP of Research Ben Seri in the release. "But... these chips are used in many other types of devices and equipment. They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it."